API caller for AquaSec full repository scan

[tmikula-dev]

WORK IN PROGRESS

Summary by CodeRabbit

• Chores
  • Replaced the existing repository security scan workflow with a new full-repository AquaSec scan.
  • New scan triggers on pull requests and manual runs, retrieves results and exposes them in JSON.
  • Scan findings are surfaced in workflow and pull request outputs.
  • Implements secure authentication handling, masking of tokens, and explicit error paths.
  • Removed the previous Trivy-based repository scan.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Removes the Trivy repository-scan workflow and adds an AquaSec full-repository scan workflow that authenticates to AquaSec, retrieves the GitHub repository ID, requests scan results, and emits the scan JSON via GITHUB_OUTPUT.

Changes

Cohort / File(s)	Change Summary
Removed workflow ​.github/workflows/trivy_repository_scan.yml	Deleted the Trivy-based repository scan workflow that ran filesystem Trivy scans, uploaded SARIF to Security Hub, produced a PR comment, and generated a markdown summary.
Added AquaSec workflow ​.github/workflows/aquasec_repository_scan.yml	Added a GitHub Actions workflow that authenticates to AquaSec via a signed POST (API key/secret), masks the returned bearer token, fetches the GitHub repository ID from the GitHub API, requests AquaSec scan results for that repo ID, errors on missing data, and exposes scan JSON through GITHUB_OUTPUT.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant GH as GitHub Actions
    participant GHAPI as GitHub API
    participant Aqua as AquaSec API

    GH->>GHAPI: Request repository context / repo ID
    GHAPI-->>GH: Respond with repo ID (or error)
    GH->>Aqua: POST /auth (signed with API key/secret)
    Aqua-->>GH: Bearer token (or error)
    Note right of GH: Mask bearer token in workflow outputs
    GH->>Aqua: GET /scans?repoId={id} (Authorization: Bearer)
    Aqua-->>GH: Scan results JSON (or empty)
    GH->>GH: Set GITHUB_OUTPUT=scan JSON or fail if missing

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Review authentication/signing and token masking in .github/workflows/aquasec_repository_scan.yml
• Verify GitHub repo ID retrieval and error paths
• Confirm correct escaping/format when writing GITHUB_OUTPUT

Possibly related PRs

• Trivy Scanning tool pilot implementation #72 — modifies/introduces a Trivy repository-scan workflow that conflicts with this PR's removal of that workflow.

Suggested reviewers

• ABMC831
• Zejnilovic
• oto-macenauer-absa
• petr-pokorny-absa
• miroslavpojer

Poem

"🐇 I hopped through commits with a quiet cheer,
Trivy packed away, AquaSec draws near,
Tokens tucked and JSON carrots gleam,
I thump—pipelines hum and scanners dream!"

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: replacing a Trivy scan workflow with an AquaSec API caller workflow for repository scanning.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/78-API-caller-for-AquaSec-scan

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (2)

.github/workflows/aquasec_repository_scan.yml (2)

33-33: Consider parameterizing hardcoded API endpoints.

The AquaSec API endpoints are hardcoded with specific regions (eu-1 and eu-central-1). This limits flexibility if infrastructure changes or different regions are needed. Consider making these configurable via workflow inputs or environment variables, or document the region strategy.

Also applies to: 68-68

---

25-80: Add retry logic for network resilience.

The workflow makes multiple HTTP requests (AquaSec auth, GitHub API, AquaSec scan results) without retry logic. Transient network failures will cause the entire workflow to fail. Consider adding exponential backoff retry logic to improve resilience.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cc490bf and 10807d7.

📒 Files selected for processing (2)

• .github/workflows/aquasec_repository_scan.yml (1 hunks)
• .github/workflows/trivy_repository_scan.yml (0 hunks)

💤 Files with no reviewable changes (1)

• .github/workflows/trivy_repository_scan.yml

🔇 Additional comments (1)

.github/workflows/aquasec_repository_scan.yml (1)

8-12: Clarify unused security-events: write permission.

The workflow declares security-events: write permission but doesn't upload SARIF results or use GitHub security events API. Given the PR is marked as WIP, clarify whether:

1. SARIF upload to GitHub Security tab is planned?
2. GitHub security event integration is part of the roadmap?
3. This permission should be removed if not needed?

Once the workflow is complete, align permissions with actual usage.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Mask AQUA_SECRET to prevent exposure in logs.

The AQUA_SECRET is used directly in the HMAC calculation (line 37) without masking. If the step fails or debug logging is enabled, the secret could be exposed in the workflow logs. Mask it immediately upon use.

Apply this diff to mask the secret:

  echo "=== Authenticating with AquaSec ==="

  TIMESTAMP=$(date +%s)
  AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com/v2/tokens"
  METHOD="POST"
  POST_BODY='{"validity":240,"allowed_endpoints":["GET"]}'
  STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}"
+ echo "::add-mask::$AQUA_SECRET"
  SIGNATURE=$(echo -n "$STRING_TO_SIGN" | openssl dgst -sha256 -hmac "$AQUA_SECRET" -hex | sed 's/.*= //g')

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In .github/workflows/aquasec_repository_scan.yml around lines 32 to 44, the
AQUA_SECRET is used directly in the HMAC command which can leak the secret into
logs if the step fails or debug is enabled; immediately mask the secret using
the GitHub Actions log-masking command (add-mask) as soon as AQUA_SECRET is
available and before any shell commands that reference it, avoid enabling shell
debug (set -x) in this step, and ensure no commands echo or print STRING_TO_SIGN
or SIGNATURE to the logs.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add explicit error handling for GitHub API call and configure timeout.

The curl request to GitHub API (line 59) lacks explicit error handling. If curl fails or hangs, the subsequent check for empty/null REPO_ID will catch the symptom, but the root cause (e.g., network timeout) is masked. Additionally, no timeout is configured, risking indefinite waits.

Apply this diff to add explicit error handling and timeout:

  echo "=== Getting Repository ID from GitHub ==="
  
- REPO_ID=$(curl -s "https://api.github.com/repos/${{ github.repository }}" | jq -r '.id')
+ REPO_ID=$(curl -s --max-time 10 "https://api.github.com/repos/${{ github.repository }}" | jq -r '.id')
+ if [ $? -ne 0 ]; then
+   echo "Failed to query GitHub API"
+   exit 1
+ fi
  
  if [ -z "$REPO_ID" ] || [ "$REPO_ID" = "null" ]; then
    echo "Failed to get repository ID from GitHub"
    exit 1
  fi

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In .github/workflows/aquasec_repository_scan.yml around lines 59 to 64, the curl
call that fetches the GitHub repo ID lacks explicit error handling and a
timeout; update the workflow to call curl with --fail and a --max-time (timeout)
option, capture curl's exit status and stderr output, and if curl fails print a
descriptive error including the curl error/HTTP status and stderr before exiting
non-zero; then proceed to parse REPO_ID and keep the existing empty/null check
as a safety net.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Validate HTTP response status and add timeout to scan results request.

The curl request (lines 69-72) lacks HTTP status validation. An error response from AquaSec (e.g., 4xx/5xx) could be treated as valid results, potentially masking failures. Additionally, no timeout is configured, risking indefinite waits.

Apply this diff to add status validation and timeout:

  echo "=== Receiving AquaSec Scan Results ==="
  
- SCAN_RESULTS=$(curl -s -X GET \
+ SCAN_RESPONSE=$(curl -s -w "\n%{http_code}" --max-time 10 -X GET \
    "$SCAN_RESULTS_ENDPOINT?repositoryIds=$REPO_ID" \
    -H "Authorization: Bearer $BEARER_TOKEN" \
    -H "Accept: application/json")
  
- if [ -z "$SCAN_RESULTS" ]; then
+ SCAN_RESULTS=$(echo "$SCAN_RESPONSE" | head -n -1)
+ HTTP_STATUS=$(echo "$SCAN_RESPONSE" | tail -n 1)
+ 
+ if [ "$HTTP_STATUS" != "200" ]; then
+   echo "AquaSec API returned status $HTTP_STATUS"
    echo "Failed to retrieve scan results"
    exit 1
+ fi
+ 
+ if [ -z "$SCAN_RESULTS" ]; then
+   echo "Scan results are empty"
    exit 1
  fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	SCAN_RESULTS_ENDPOINT="https://eu-central-1.edge.cloud.aquasec.com/codesec/api/v1/scans/results"
	SCAN_RESULTS=$(curl -s -X GET \
	"$SCAN_RESULTS_ENDPOINT?repositoryIds=$REPO_ID" \
	-H "Authorization: Bearer $BEARER_TOKEN" \
	-H "Accept: application/json")
	if [ -z "$SCAN_RESULTS" ]; then
	echo "Failed to retrieve scan results"
	exit 1
	fi
	SCAN_RESULTS_ENDPOINT="https://eu-central-1.edge.cloud.aquasec.com/codesec/api/v1/scans/results"
	SCAN_RESPONSE=$(curl -s -w "\n%{http_code}" --max-time 10 -X GET \
	"$SCAN_RESULTS_ENDPOINT?repositoryIds=$REPO_ID" \
	-H "Authorization: Bearer $BEARER_TOKEN" \
	-H "Accept: application/json")
	SCAN_RESULTS=$(echo "$SCAN_RESPONSE" | head -n -1)
	HTTP_STATUS=$(echo "$SCAN_RESPONSE" | tail -n 1)
	if [ "$HTTP_STATUS" != "200" ]; then
	echo "AquaSec API returned status $HTTP_STATUS"
	echo "Failed to retrieve scan results"
	exit 1
	fi
	if [ -z "$SCAN_RESULTS" ]; then
	echo "Scan results are empty"
	exit 1
	fi

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (3)

.github/workflows/aquasec_repository_scan.yml (3)

66-77: Add HTTP status validation and timeout to AquaSec scan results request.

The curl request (lines 69–72) lacks HTTP status validation and a timeout. An error response from AquaSec (e.g., 4xx/5xx) could be parsed as valid results, silently masking failures. Add --max-time, capture HTTP status, and validate it before processing results.

Apply this diff:

  echo "=== Receiving AquaSec Scan Results ==="
  
  SCAN_RESULTS_ENDPOINT="https://eu-central-1.edge.cloud.aquasec.com/codesec/api/v1/scans/results"
- SCAN_RESULTS=$(curl -s -X GET \
+ SCAN_RESPONSE=$(curl -s -w "\n%{http_code}" --max-time 10 -X GET \
    "$SCAN_RESULTS_ENDPOINT?repositoryIds=$REPO_ID" \
    -H "Authorization: Bearer $BEARER_TOKEN" \
    -H "Accept: application/json")
  
- if [ -z "$SCAN_RESULTS" ]; then
+ SCAN_RESULTS=$(echo "$SCAN_RESPONSE" | head -n -1)
+ HTTP_STATUS=$(echo "$SCAN_RESPONSE" | tail -n 1)
+ 
+ if [ "$HTTP_STATUS" != "200" ]; then
+   echo "AquaSec API returned HTTP status $HTTP_STATUS"
    echo "Failed to retrieve scan results"
    exit 1
+ fi
+ 
+ if [ -z "$SCAN_RESULTS" ]; then
+   echo "Scan results body is empty"
    exit 1
  fi

---

30-55: Mask AQUA_SECRET before using it in shell commands to prevent log exposure.

The AQUA_SECRET is used directly in the OpenSSL HMAC calculation (line 37) without masking. If the step fails, debug logging is enabled, or the openssl command outputs diagnostic information, the secret could be leaked into workflow logs. Although BEARER_TOKEN is correctly masked on line 51, AQUA_SECRET should also be masked immediately upon use.

Apply this diff to mask the secret:

  echo "=== Authenticating with AquaSec ==="
  
  TIMESTAMP=$(date -u +%s)
  AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com"
  METHOD="POST"
  POST_BODY='{"validity":240,"allowed_endpoints":["GET","POST"]}'
  STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}"
+ echo "::add-mask::$AQUA_SECRET"
  SIGNATURE=$(echo -n "$STRING_TO_SIGN" | openssl dgst -sha256 -hmac "$AQUA_SECRET" -hex | sed 's/.*= //g')

---

57-64: Add explicit error handling and timeout to GitHub API call.

The curl request on line 59 lacks error handling and a timeout. If the request hangs or fails, the subsequent check for empty/null REPO_ID masks the root cause. Additionally, silent curl failures are not detected. Add --max-time, explicit error handling, and curl exit code validation.

Apply this diff:

  echo "=== Getting Repository ID from GitHub ==="
  
- REPO_ID=$(curl -s "https://api.github.com/repos/${{ github.repository }}" | jq -r '.id')
+ REPO_ID=$(curl -s --max-time 10 "https://api.github.com/repos/${{ github.repository }}" 2>/dev/null | jq -r '.id' 2>/dev/null)
+ if [ $? -ne 0 ]; then
+   echo "Failed to retrieve repository ID from GitHub API"
+   exit 1
+ fi
  
  if [ -z "$REPO_ID" ] || [ "$REPO_ID" = "null" ]; then
    echo "Failed to get repository ID from GitHub"
    exit 1
  fi

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 77f0e24 and 8d1b523.

📒 Files selected for processing (1)

• .github/workflows/aquasec_repository_scan.yml (1 hunks)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add error handling for JSON parsing of authentication response.

The jq call on line 46 assumes the API response is valid JSON and contains a .status field. If the response is malformed or jq fails, the check on line 48 will silently treat the status as non-200, but the error is not explicitly logged. Add validation for jq's exit code.

Apply this diff to add error handling:

  AUTH_RESPONSE=$(curl -s -X "$METHOD" "$AUTH_ENDPOINT" \
    -H "Content-Type: application/json" \
    -H "X-API-Key: $AQUA_KEY" \
    -H "X-Timestamp: $TIMESTAMP" \
    -H "X-Signature: $SIGNATURE" \
    -d "$POST_BODY")
  
- RESPONSE_STATUS=$(echo "$AUTH_RESPONSE" | jq -r '.status')
+ RESPONSE_STATUS=$(echo "$AUTH_RESPONSE" | jq -r '.status' 2>/dev/null)
+ if [ $? -ne 0 ]; then
+   echo "Failed to parse AquaSec authentication response"
+   exit 1
+ fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	RESPONSE_STATUS=$(echo "$AUTH_RESPONSE" | jq -r '.status')
	if [ "$RESPONSE_STATUS" = "200" ]; then
	echo "Login successful."
	BEARER_TOKEN=$(echo "$AUTH_RESPONSE" | jq -r '.data')
	echo "::add-mask::$BEARER_TOKEN"
	else
	echo "Login failed"
	exit 1
	fi
	RESPONSE_STATUS=$(echo "$AUTH_RESPONSE" | jq -r '.status' 2>/dev/null)
	if [ $? -ne 0 ]; then
	echo "Failed to parse AquaSec authentication response"
	exit 1
	fi
	if [ "$RESPONSE_STATUS" = "200" ]; then
	echo "Login successful."
	BEARER_TOKEN=$(echo "$AUTH_RESPONSE" | jq -r '.data')
	echo "::add-mask::$BEARER_TOKEN"
	else
	echo "Login failed"
	exit 1
	fi

🤖 Prompt for AI Agents

In .github/workflows/aquasec_repository_scan.yml around lines 46 to 55, the
script assumes jq successfully parsed the auth response and contained
.status/.data; add explicit jq error handling by checking jq's exit code (or
using jq -e) after parsing RESPONSE_STATUS and BEARER_TOKEN, log the raw
AUTH_RESPONSE and jq error if parsing fails, and exit non-zero; also validate
that RESPONSE_STATUS equals "200" before extracting BEARER_TOKEN and ensure
BEARER_TOKEN is non-empty before masking and continuing.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Export scan results via GITHUB_OUTPUT for use in downstream jobs.

The workflow echoes the scan results to stdout (line 80) but does not emit them as a workflow output via GITHUB_OUTPUT. The summary mentions the workflow "emits the scan JSON via GITHUB_OUTPUT," but this is not implemented. Add a line to export the results so they can be accessed by subsequent jobs or workflow runs.

  echo "=== Scan Results ==="
  echo "$SCAN_RESULTS" | jq '.'
+ echo "AQUASEC_SCAN_RESULTS=$SCAN_RESULTS" >> $GITHUB_OUTPUT

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	echo "=== Scan Results ==="
	echo "$SCAN_RESULTS" | jq '.'
	echo "=== Scan Results ==="
	echo "$SCAN_RESULTS" | jq '.'
	echo "AQUASEC_SCAN_RESULTS=$SCAN_RESULTS" >> $GITHUB_OUTPUT

🤖 Prompt for AI Agents

In .github/workflows/aquasec_repository_scan.yml around lines 79 to 80, the job
prints the scan JSON to stdout but does not export it as a GitHub Actions
output; append the scan JSON to GITHUB_OUTPUT so downstream jobs can consume it
by adding a multi-line output write like: write a "scan_results" multi-line
output block to $GITHUB_OUTPUT (for example using the heredoc pattern: echo
"scan_results<<EOF" >> $GITHUB_OUTPUT; echo "$SCAN_RESULTS" >> $GITHUB_OUTPUT;
echo "EOF" >> $GITHUB_OUTPUT), ensuring the JSON is preserved even if it
contains newlines or special characters.