Skip to content

API caller for AquaSec full repository scan #89

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
+80 −143
Open

API caller for AquaSec full repository scan #89

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
cc490bf
Test of AquaSec API
tmikula-dev Nov 27, 2025
345b1af
Test of AquaSec API
tmikula-dev Nov 27, 2025
10807d7
Test of AquaSec API
tmikula-dev Nov 27, 2025
66f5c89
AquaSec workflow fix
tmikula-dev Nov 27, 2025
77f0e24
AquaSec workflow fix
tmikula-dev Nov 27, 2025
2713be6
AquaSec workflow fix
tmikula-dev Nov 27, 2025
8330826
AquaSec workflow fix
tmikula-dev Nov 27, 2025
8d1b523
AquaSec workflow fix
tmikula-dev Nov 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 80 additions & 0 deletions .github/workflows/aquasec_repository_scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
name: AquaSec Full Repository Scan

on:
workflow_dispatch:
pull_request:
types: [ opened, synchronize ]

permissions:
contents: read
issues: write
pull-requests: write
security-events: write

jobs:
aquasec:
name: AquaSec Full Repository Scan
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
persist-credentials: false
fetch-depth: 0

- name: Retrieve AquaSec Scan Results
env:
AQUA_KEY: ${{ secrets.AQUA_KEY }}
AQUA_SECRET: ${{ secrets.AQUA_SECRET }}
run: |
echo "=== Authenticating with AquaSec ==="

TIMESTAMP=$(date -u +%s)
AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com"
METHOD="POST"
POST_BODY='{"validity":240,"allowed_endpoints":["GET","POST"]}'
STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}"
SIGNATURE=$(echo -n "$STRING_TO_SIGN" | openssl dgst -sha256 -hmac "$AQUA_SECRET" -hex | sed 's/.*= //g')

AUTH_RESPONSE=$(curl -s -X "$METHOD" "$AUTH_ENDPOINT" \
-H "Content-Type: application/json" \
-H "X-API-Key: $AQUA_KEY" \
-H "X-Timestamp: $TIMESTAMP" \
-H "X-Signature: $SIGNATURE" \
-d "$POST_BODY")

RESPONSE_STATUS=$(echo "$AUTH_RESPONSE" | jq -r '.status')

if [ "$RESPONSE_STATUS" = "200" ]; then
echo "Login successful."
BEARER_TOKEN=$(echo "$AUTH_RESPONSE" | jq -r '.data')
echo "::add-mask::$BEARER_TOKEN"
else
echo "Login failed"
exit 1
fi
Comment on lines +46 to +55
Copy link

@coderabbitai coderabbitai bot Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Add error handling for JSON parsing of authentication response.

The jq call on line 46 assumes the API response is valid JSON and contains a .status field. If the response is malformed or jq fails, the check on line 48 will silently treat the status as non-200, but the error is not explicitly logged. Add validation for jq's exit code.

Apply this diff to add error handling:

  AUTH_RESPONSE=$(curl -s -X "$METHOD" "$AUTH_ENDPOINT" \
    -H "Content-Type: application/json" \
    -H "X-API-Key: $AQUA_KEY" \
    -H "X-Timestamp: $TIMESTAMP" \
    -H "X-Signature: $SIGNATURE" \
    -d "$POST_BODY")
  
- RESPONSE_STATUS=$(echo "$AUTH_RESPONSE" | jq -r '.status')
+ RESPONSE_STATUS=$(echo "$AUTH_RESPONSE" | jq -r '.status' 2>/dev/null)
+ if [ $? -ne 0 ]; then
+   echo "Failed to parse AquaSec authentication response"
+   exit 1
+ fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
RESPONSE_STATUS=$(echo "$AUTH_RESPONSE" | jq -r '.status')
if [ "$RESPONSE_STATUS" = "200" ]; then
echo "Login successful."
BEARER_TOKEN=$(echo "$AUTH_RESPONSE" | jq -r '.data')
echo "::add-mask::$BEARER_TOKEN"
else
echo "Login failed"
exit 1
fi
RESPONSE_STATUS=$(echo "$AUTH_RESPONSE" | jq -r '.status' 2>/dev/null)
if [ $? -ne 0 ]; then
echo "Failed to parse AquaSec authentication response"
exit 1
fi
if [ "$RESPONSE_STATUS" = "200" ]; then
echo "Login successful."
BEARER_TOKEN=$(echo "$AUTH_RESPONSE" | jq -r '.data')
echo "::add-mask::$BEARER_TOKEN"
else
echo "Login failed"
exit 1
fi
🤖 Prompt for AI Agents 
In .github/workflows/aquasec_repository_scan.yml around lines 46 to 55, the
script assumes jq successfully parsed the auth response and contained
.status/.data; add explicit jq error handling by checking jq's exit code (or
using jq -e) after parsing RESPONSE_STATUS and BEARER_TOKEN, log the raw
AUTH_RESPONSE and jq error if parsing fails, and exit non-zero; also validate
that RESPONSE_STATUS equals "200" before extracting BEARER_TOKEN and ensure
BEARER_TOKEN is non-empty before masking and continuing.


echo "=== Getting Repository ID from GitHub ==="

REPO_ID=$(curl -s "https://api.github.com/repos/${{ github.repository }}" | jq -r '.id')

if [ -z "$REPO_ID" ] || [ "$REPO_ID" = "null" ]; then
echo "Failed to get repository ID from GitHub"
exit 1
fi
Comment on lines +59 to +64
Copy link

@coderabbitai coderabbitai bot Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Add explicit error handling for GitHub API call and configure timeout.

The curl request to GitHub API (line 59) lacks explicit error handling. If curl fails or hangs, the subsequent check for empty/null REPO_ID will catch the symptom, but the root cause (e.g., network timeout) is masked. Additionally, no timeout is configured, risking indefinite waits.

Apply this diff to add explicit error handling and timeout:

  echo "=== Getting Repository ID from GitHub ==="
  
- REPO_ID=$(curl -s "https://api.github.com/repos/${{ github.repository }}" | jq -r '.id')
+ REPO_ID=$(curl -s --max-time 10 "https://api.github.com/repos/${{ github.repository }}" | jq -r '.id')
+ if [ $? -ne 0 ]; then
+   echo "Failed to query GitHub API"
+   exit 1
+ fi
  
  if [ -z "$REPO_ID" ] || [ "$REPO_ID" = "null" ]; then
    echo "Failed to get repository ID from GitHub"
    exit 1
  fi

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents 
In .github/workflows/aquasec_repository_scan.yml around lines 59 to 64, the curl
call that fetches the GitHub repo ID lacks explicit error handling and a
timeout; update the workflow to call curl with --fail and a --max-time (timeout)
option, capture curl's exit status and stderr output, and if curl fails print a
descriptive error including the curl error/HTTP status and stderr before exiting
non-zero; then proceed to parse REPO_ID and keep the existing empty/null check
as a safety net.


echo "=== Receiving AquaSec Scan Results ==="

SCAN_RESULTS_ENDPOINT="https://eu-central-1.edge.cloud.aquasec.com/codesec/api/v1/scans/results"
SCAN_RESULTS=$(curl -s -X GET \
"$SCAN_RESULTS_ENDPOINT?repositoryIds=$REPO_ID" \
-H "Authorization: Bearer $BEARER_TOKEN" \
-H "Accept: application/json")

if [ -z "$SCAN_RESULTS" ]; then
echo "Failed to retrieve scan results"
exit 1
fi
Comment on lines +68 to +77
Copy link

@coderabbitai coderabbitai bot Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Validate HTTP response status and add timeout to scan results request.

The curl request (lines 69-72) lacks HTTP status validation. An error response from AquaSec (e.g., 4xx/5xx) could be treated as valid results, potentially masking failures. Additionally, no timeout is configured, risking indefinite waits.

Apply this diff to add status validation and timeout:

  echo "=== Receiving AquaSec Scan Results ==="
  
- SCAN_RESULTS=$(curl -s -X GET \
+ SCAN_RESPONSE=$(curl -s -w "\n%{http_code}" --max-time 10 -X GET \
    "$SCAN_RESULTS_ENDPOINT?repositoryIds=$REPO_ID" \
    -H "Authorization: Bearer $BEARER_TOKEN" \
    -H "Accept: application/json")
  
- if [ -z "$SCAN_RESULTS" ]; then
+ SCAN_RESULTS=$(echo "$SCAN_RESPONSE" | head -n -1)
+ HTTP_STATUS=$(echo "$SCAN_RESPONSE" | tail -n 1)
+ 
+ if [ "$HTTP_STATUS" != "200" ]; then
+   echo "AquaSec API returned status $HTTP_STATUS"
    echo "Failed to retrieve scan results"
    exit 1
+ fi
+ 
+ if [ -z "$SCAN_RESULTS" ]; then
+   echo "Scan results are empty"
    exit 1
  fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
SCAN_RESULTS_ENDPOINT="https://eu-central-1.edge.cloud.aquasec.com/codesec/api/v1/scans/results"
SCAN_RESULTS=$(curl -s -X GET \
"$SCAN_RESULTS_ENDPOINT?repositoryIds=$REPO_ID" \
-H "Authorization: Bearer $BEARER_TOKEN" \
-H "Accept: application/json")
if [ -z "$SCAN_RESULTS" ]; then
echo "Failed to retrieve scan results"
exit 1
fi
SCAN_RESULTS_ENDPOINT="https://eu-central-1.edge.cloud.aquasec.com/codesec/api/v1/scans/results"
SCAN_RESPONSE=$(curl -s -w "\n%{http_code}" --max-time 10 -X GET \
"$SCAN_RESULTS_ENDPOINT?repositoryIds=$REPO_ID" \
-H "Authorization: Bearer $BEARER_TOKEN" \
-H "Accept: application/json")
SCAN_RESULTS=$(echo "$SCAN_RESPONSE" | head -n -1)
HTTP_STATUS=$(echo "$SCAN_RESPONSE" | tail -n 1)
if [ "$HTTP_STATUS" != "200" ]; then
echo "AquaSec API returned status $HTTP_STATUS"
echo "Failed to retrieve scan results"
exit 1
fi
if [ -z "$SCAN_RESULTS" ]; then
echo "Scan results are empty"
exit 1
fi


echo "=== Scan Results ==="
echo "$SCAN_RESULTS" | jq '.'
Comment on lines +79 to +80
Copy link

@coderabbitai coderabbitai bot Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Export scan results via GITHUB_OUTPUT for use in downstream jobs.

The workflow echoes the scan results to stdout (line 80) but does not emit them as a workflow output via GITHUB_OUTPUT. The summary mentions the workflow "emits the scan JSON via GITHUB_OUTPUT," but this is not implemented. Add a line to export the results so they can be accessed by subsequent jobs or workflow runs.

  echo "=== Scan Results ==="
  echo "$SCAN_RESULTS" | jq '.'
+ echo "AQUASEC_SCAN_RESULTS=$SCAN_RESULTS" >> $GITHUB_OUTPUT
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
echo "=== Scan Results ==="
echo "$SCAN_RESULTS" | jq '.'
echo "=== Scan Results ==="
echo "$SCAN_RESULTS" | jq '.'
echo "AQUASEC_SCAN_RESULTS=$SCAN_RESULTS" >> $GITHUB_OUTPUT
🤖 Prompt for AI Agents 
In .github/workflows/aquasec_repository_scan.yml around lines 79 to 80, the job
prints the scan JSON to stdout but does not export it as a GitHub Actions
output; append the scan JSON to GITHUB_OUTPUT so downstream jobs can consume it
by adding a multi-line output write like: write a "scan_results" multi-line
output block to $GITHUB_OUTPUT (for example using the heredoc pattern: echo
"scan_results<<EOF" >> $GITHUB_OUTPUT; echo "$SCAN_RESULTS" >> $GITHUB_OUTPUT;
echo "EOF" >> $GITHUB_OUTPUT), ensuring the JSON is preserved even if it
contains newlines or special characters.

143 changes: 0 additions & 143 deletions .github/workflows/trivy_repository_scan.yml
View file
Open in desktop

This file was deleted.

Loading