API caller for AquaSec full repository scan #89
Conversation
tmikula-dev
requested review from
ABMC831,
Zejnilovic,
oto-macenauer-absa and
petr-pokorny-absa
as code owners
tmikula-dev
added
enhancement
WalkthroughRemoves the Trivy repository-scan workflow and adds an AquaSec full-repository scan workflow that authenticates to AquaSec, obtains the GitHub repository ID, requests AquaSec scan results for that repo, errors on missing results, and emits the scan JSON via GITHUB_OUTPUT. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
participant Runner as GitHub Actions Runner
participant GHAPI as GitHub API
participant Aqua as AquaSec API
Runner->>GHAPI: GET /repos/{owner}/{repo} (retrieve repo ID)
GHAPI-->>Runner: 200 OK with repo ID
Runner->>Aqua: POST /auth (signed with API key/secret)
Aqua-->>Runner: 200 OK with bearer token
Note right of Runner: Mask bearer token in workflow logs/outputs
Runner->>Aqua: GET /scans?repoId={id} (Authorization: Bearer)
Aqua-->>Runner: 200 OK with scan results JSON or empty
Runner->>Runner: Write scan JSON to GITHUB_OUTPUT or fail if missing
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes
Possibly related PRs
Suggested reviewers
Poem
Pre-merge checks and finishing touches✅ Passed checks (3 passed)
✨ Finishing touches🧪 Generate unit tests (beta)
📜 Recent review detailsConfiguration used: CodeRabbit UI Review profile: CHILL Plan: Pro 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (2)
.github/workflows/aquasec_repository_scan.yml (2)
33-33: Consider parameterizing hardcoded API endpoints.The AquaSec API endpoints are hardcoded with specific regions (
eu-1andeu-central-1). This limits flexibility if infrastructure changes or different regions are needed. Consider making these configurable via workflow inputs or environment variables, or document the region strategy.Also applies to: 68-68
25-80: Add retry logic for network resilience.The workflow makes multiple HTTP requests (AquaSec auth, GitHub API, AquaSec scan results) without retry logic. Transient network failures will cause the entire workflow to fail. Consider adding exponential backoff retry logic to improve resilience.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
.github/workflows/aquasec_repository_scan.yml(1 hunks).github/workflows/trivy_repository_scan.yml(0 hunks)
💤 Files with no reviewable changes (1)
- .github/workflows/trivy_repository_scan.yml
🔇 Additional comments (1)
.github/workflows/aquasec_repository_scan.yml (1)
8-12: Clarify unusedsecurity-events: writepermission.The workflow declares
security-events: writepermission but doesn't upload SARIF results or use GitHub security events API. Given the PR is marked as WIP, clarify whether:
- SARIF upload to GitHub Security tab is planned?
- GitHub security event integration is part of the roadmap?
- This permission should be removed if not needed?
Once the workflow is complete, align permissions with actual usage.
| TIMESTAMP=$(date +%s) | ||
| AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com/v2/tokens" | ||
| METHOD="POST" | ||
| POST_BODY='{"validity":240,"allowed_endpoints":["GET"]}' | ||
| STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}" | ||
| SIGNATURE=$(echo -n "$STRING_TO_SIGN" | openssl dgst -sha256 -hmac "$AQUA_SECRET" -hex | sed 's/.*= //g') | ||
|
|
||
| AUTH_RESPONSE=$(curl -s -X POST "$AUTH_ENDPOINT" \ | ||
| -H "Content-Type: application/json" \ | ||
| -H "X-API-Key: $AQUA_KEY" \ | ||
| -H "X-Timestamp: $TIMESTAMP" \ | ||
| -H "X-Signature: $SIGNATURE" \ | ||
| -d "$POST_BODY") |
There was a problem hiding this comment.
Mask AQUA_SECRET to prevent exposure in logs.
The AQUA_SECRET is used directly in the HMAC calculation (line 37) without masking. If the step fails or debug logging is enabled, the secret could be exposed in the workflow logs. Mask it immediately upon use.
Apply this diff to mask the secret:
echo "=== Authenticating with AquaSec ==="
TIMESTAMP=$(date +%s)
AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com/v2/tokens"
METHOD="POST"
POST_BODY='{"validity":240,"allowed_endpoints":["GET"]}'
STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}"
+ echo "::add-mask::$AQUA_SECRET"
SIGNATURE=$(echo -n "$STRING_TO_SIGN" | openssl dgst -sha256 -hmac "$AQUA_SECRET" -hex | sed 's/.*= //g')Committable suggestion skipped: line range outside the PR's diff.
🤖 Prompt for AI Agents
In .github/workflows/aquasec_repository_scan.yml around lines 32 to 44, the
AQUA_SECRET is used directly in the HMAC command which can leak the secret into
logs if the step fails or debug is enabled; immediately mask the secret using
the GitHub Actions log-masking command (add-mask) as soon as AQUA_SECRET is
available and before any shell commands that reference it, avoid enabling shell
debug (set -x) in this step, and ensure no commands echo or print STRING_TO_SIGN
or SIGNATURE to the logs.
| REPO_ID=$(curl -s "https://api.github.com/repos/${{ github.repository }}" | jq -r '.id') | ||
|
|
||
| if [ -z "$REPO_ID" ] || [ "$REPO_ID" = "null" ]; then | ||
| echo "Failed to get repository ID from GitHub" | ||
| exit 1 | ||
| fi |
There was a problem hiding this comment.
Add explicit error handling for GitHub API call and configure timeout.
The curl request to GitHub API (line 59) lacks explicit error handling. If curl fails or hangs, the subsequent check for empty/null REPO_ID will catch the symptom, but the root cause (e.g., network timeout) is masked. Additionally, no timeout is configured, risking indefinite waits.
Apply this diff to add explicit error handling and timeout:
echo "=== Getting Repository ID from GitHub ==="
- REPO_ID=$(curl -s "https://api.github.com/repos/${{ github.repository }}" | jq -r '.id')
+ REPO_ID=$(curl -s --max-time 10 "https://api.github.com/repos/${{ github.repository }}" | jq -r '.id')
+ if [ $? -ne 0 ]; then
+ echo "Failed to query GitHub API"
+ exit 1
+ fi
if [ -z "$REPO_ID" ] || [ "$REPO_ID" = "null" ]; then
echo "Failed to get repository ID from GitHub"
exit 1
fiCommittable suggestion skipped: line range outside the PR's diff.
🤖 Prompt for AI Agents
In .github/workflows/aquasec_repository_scan.yml around lines 59 to 64, the curl
call that fetches the GitHub repo ID lacks explicit error handling and a
timeout; update the workflow to call curl with --fail and a --max-time (timeout)
option, capture curl's exit status and stderr output, and if curl fails print a
descriptive error including the curl error/HTTP status and stderr before exiting
non-zero; then proceed to parse REPO_ID and keep the existing empty/null check
as a safety net.
| SCAN_RESULTS_ENDPOINT="https://eu-central-1.edge.cloud.aquasec.com/codesec/api/v1/scans/results" | ||
| SCAN_RESULTS=$(curl -s -X GET \ | ||
| "$SCAN_RESULTS_ENDPOINT?repositoryIds=$REPO_ID" \ | ||
| -H "Authorization: Bearer $BEARER_TOKEN" \ | ||
| -H "Accept: application/json") | ||
|
|
||
| if [ -z "$SCAN_RESULTS" ]; then | ||
| echo "Failed to retrieve scan results" | ||
| exit 1 | ||
| fi |
There was a problem hiding this comment.
Validate HTTP response status and add timeout to scan results request.
The curl request (lines 69-72) lacks HTTP status validation. An error response from AquaSec (e.g., 4xx/5xx) could be treated as valid results, potentially masking failures. Additionally, no timeout is configured, risking indefinite waits.
Apply this diff to add status validation and timeout:
echo "=== Receiving AquaSec Scan Results ==="
- SCAN_RESULTS=$(curl -s -X GET \
+ SCAN_RESPONSE=$(curl -s -w "\n%{http_code}" --max-time 10 -X GET \
"$SCAN_RESULTS_ENDPOINT?repositoryIds=$REPO_ID" \
-H "Authorization: Bearer $BEARER_TOKEN" \
-H "Accept: application/json")
- if [ -z "$SCAN_RESULTS" ]; then
+ SCAN_RESULTS=$(echo "$SCAN_RESPONSE" | head -n -1)
+ HTTP_STATUS=$(echo "$SCAN_RESPONSE" | tail -n 1)
+
+ if [ "$HTTP_STATUS" != "200" ]; then
+ echo "AquaSec API returned status $HTTP_STATUS"
echo "Failed to retrieve scan results"
exit 1
+ fi
+
+ if [ -z "$SCAN_RESULTS" ]; then
+ echo "Scan results are empty"
exit 1
fi📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| SCAN_RESULTS_ENDPOINT="https://eu-central-1.edge.cloud.aquasec.com/codesec/api/v1/scans/results" | |
| SCAN_RESULTS=$(curl -s -X GET \ | |
| "$SCAN_RESULTS_ENDPOINT?repositoryIds=$REPO_ID" \ | |
| -H "Authorization: Bearer $BEARER_TOKEN" \ | |
| -H "Accept: application/json") | |
| if [ -z "$SCAN_RESULTS" ]; then | |
| echo "Failed to retrieve scan results" | |
| exit 1 | |
| fi | |
| SCAN_RESULTS_ENDPOINT="https://eu-central-1.edge.cloud.aquasec.com/codesec/api/v1/scans/results" | |
| SCAN_RESPONSE=$(curl -s -w "\n%{http_code}" --max-time 10 -X GET \ | |
| "$SCAN_RESULTS_ENDPOINT?repositoryIds=$REPO_ID" \ | |
| -H "Authorization: Bearer $BEARER_TOKEN" \ | |
| -H "Accept: application/json") | |
| SCAN_RESULTS=$(echo "$SCAN_RESPONSE" | head -n -1) | |
| HTTP_STATUS=$(echo "$SCAN_RESPONSE" | tail -n 1) | |
| if [ "$HTTP_STATUS" != "200" ]; then | |
| echo "AquaSec API returned status $HTTP_STATUS" | |
| echo "Failed to retrieve scan results" | |
| exit 1 | |
| fi | |
| if [ -z "$SCAN_RESULTS" ]; then | |
| echo "Scan results are empty" | |
| exit 1 | |
| fi |
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (3)
.github/workflows/aquasec_repository_scan.yml (3)
66-77: Add HTTP status validation and timeout to AquaSec scan results request.The curl request (lines 69–72) lacks HTTP status validation and a timeout. An error response from AquaSec (e.g., 4xx/5xx) could be parsed as valid results, silently masking failures. Add
--max-time, capture HTTP status, and validate it before processing results.Apply this diff:
echo "=== Receiving AquaSec Scan Results ===" SCAN_RESULTS_ENDPOINT="https://eu-central-1.edge.cloud.aquasec.com/codesec/api/v1/scans/results" - SCAN_RESULTS=$(curl -s -X GET \ + SCAN_RESPONSE=$(curl -s -w "\n%{http_code}" --max-time 10 -X GET \ "$SCAN_RESULTS_ENDPOINT?repositoryIds=$REPO_ID" \ -H "Authorization: Bearer $BEARER_TOKEN" \ -H "Accept: application/json") - if [ -z "$SCAN_RESULTS" ]; then + SCAN_RESULTS=$(echo "$SCAN_RESPONSE" | head -n -1) + HTTP_STATUS=$(echo "$SCAN_RESPONSE" | tail -n 1) + + if [ "$HTTP_STATUS" != "200" ]; then + echo "AquaSec API returned HTTP status $HTTP_STATUS" echo "Failed to retrieve scan results" exit 1 + fi + + if [ -z "$SCAN_RESULTS" ]; then + echo "Scan results body is empty" exit 1 fi
30-55: Mask AQUA_SECRET before using it in shell commands to prevent log exposure.The
AQUA_SECRETis used directly in the OpenSSL HMAC calculation (line 37) without masking. If the step fails, debug logging is enabled, or the openssl command outputs diagnostic information, the secret could be leaked into workflow logs. AlthoughBEARER_TOKENis correctly masked on line 51,AQUA_SECRETshould also be masked immediately upon use.Apply this diff to mask the secret:
echo "=== Authenticating with AquaSec ===" TIMESTAMP=$(date -u +%s) AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com" METHOD="POST" POST_BODY='{"validity":240,"allowed_endpoints":["GET","POST"]}' STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}" + echo "::add-mask::$AQUA_SECRET" SIGNATURE=$(echo -n "$STRING_TO_SIGN" | openssl dgst -sha256 -hmac "$AQUA_SECRET" -hex | sed 's/.*= //g')
57-64: Add explicit error handling and timeout to GitHub API call.The curl request on line 59 lacks error handling and a timeout. If the request hangs or fails, the subsequent check for empty/null
REPO_IDmasks the root cause. Additionally, silent curl failures are not detected. Add--max-time, explicit error handling, and curl exit code validation.Apply this diff:
echo "=== Getting Repository ID from GitHub ===" - REPO_ID=$(curl -s "https://api.github.com/repos/${{ github.repository }}" | jq -r '.id') + REPO_ID=$(curl -s --max-time 10 "https://api.github.com/repos/${{ github.repository }}" 2>/dev/null | jq -r '.id' 2>/dev/null) + if [ $? -ne 0 ]; then + echo "Failed to retrieve repository ID from GitHub API" + exit 1 + fi if [ -z "$REPO_ID" ] || [ "$REPO_ID" = "null" ]; then echo "Failed to get repository ID from GitHub" exit 1 fi
| echo "=== Scan Results ===" | ||
| echo "$SCAN_RESULTS" | jq '.' No newline at end of file |
There was a problem hiding this comment.
Export scan results via GITHUB_OUTPUT for use in downstream jobs.
The workflow echoes the scan results to stdout (line 80) but does not emit them as a workflow output via GITHUB_OUTPUT. The summary mentions the workflow "emits the scan JSON via GITHUB_OUTPUT," but this is not implemented. Add a line to export the results so they can be accessed by subsequent jobs or workflow runs.
echo "=== Scan Results ==="
echo "$SCAN_RESULTS" | jq '.'
+ echo "AQUASEC_SCAN_RESULTS=$SCAN_RESULTS" >> $GITHUB_OUTPUT📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| echo "=== Scan Results ===" | |
| echo "$SCAN_RESULTS" | jq '.' | |
| echo "=== Scan Results ===" | |
| echo "$SCAN_RESULTS" | jq '.' | |
| echo "AQUASEC_SCAN_RESULTS=$SCAN_RESULTS" >> $GITHUB_OUTPUT |
🤖 Prompt for AI Agents
In .github/workflows/aquasec_repository_scan.yml around lines 79 to 80, the job
prints the scan JSON to stdout but does not export it as a GitHub Actions
output; append the scan JSON to GITHUB_OUTPUT so downstream jobs can consume it
by adding a multi-line output write like: write a "scan_results" multi-line
output block to $GITHUB_OUTPUT (for example using the heredoc pattern: echo
"scan_results<<EOF" >> $GITHUB_OUTPUT; echo "$SCAN_RESULTS" >> $GITHUB_OUTPUT;
echo "EOF" >> $GITHUB_OUTPUT), ensuring the JSON is preserved even if it
contains newlines or special characters.
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (4)
.github/workflows/aquasec_repository_scan.yml (4)
44-45: Mask AQUA_SECRET before use in HMAC computation.
AQUA_SECRETis used directly in the openssl command without masking. If the step fails or debug logging is enabled, the secret could be exposed in logs.Apply this diff to mask the secret immediately:
STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}" + echo "::add-mask::$AQUA_SECRET" SIGNATURE=$(echo -n "$STRING_TO_SIGN" | openssl dgst -sha256 -hmac "$AQUA_SECRET" -hex | sed 's/.*= //g')
55-64: Validate jq exit code after parsing auth response.Line 55 assumes jq successfully parsed the response. If the response is malformed or jq fails,
RESPONSE_STATUSmay be empty or contain an error, and the subsequent check on line 57 will silently fail.Apply this diff:
RESPONSE_STATUS=$(echo "$AUTH_RESPONSE" | jq -r '.status' 2>/dev/null) + if [ $? -ne 0 ]; then + echo "Failed to parse AquaSec authentication response" + exit 1 + fi if [ "$RESPONSE_STATUS" = "200" ]; then
79-80: Export scan results to GITHUB_OUTPUT for downstream job consumption.The workflow outputs results to stdout but does not emit them as a GitHub Actions workflow output. To allow downstream jobs to consume the scan results, append them to
GITHUB_OUTPUTusing a heredoc pattern to preserve newlines and special characters.Apply this diff:
echo "=== Scan Results ===" echo "$SCAN_RESULTS" | jq '.' + echo "scan_results<<EOF" >> $GITHUB_OUTPUT + echo "$SCAN_RESULTS" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT
69-72: Fix malformed curl URL syntax; close quote before line continuation.Line 70 has a syntax error: the URL string is not properly terminated before the backslash continuation. The shell will fail to parse this command.
Additionally, no HTTP status code validation is performed, so 4xx/5xx error responses from AquaSec will be treated as valid results.
Apply this diff to fix the syntax and add HTTP status validation:
- SCAN_RESULTS=$(curl -s -X GET \ + SCAN_RESPONSE=$(curl -s -w "\n%{http_code}" --max-time 10 -X GET \ - "$SCAN_RESULTS_ENDPOINT?repositoryIds=${{ github.repository_id }} \ + "$SCAN_RESULTS_ENDPOINT?repositoryIds=${{ github.repository_id }}" \ -H "Authorization: Bearer $BEARER_TOKEN" \ -H "Accept: application/json") + + SCAN_RESULTS=$(echo "$SCAN_RESPONSE" | head -n -1) + HTTP_STATUS=$(echo "$SCAN_RESPONSE" | tail -n 1) + + if [ "$HTTP_STATUS" != "200" ]; then + echo "AquaSec API returned status $HTTP_STATUS" + echo "Failed to retrieve scan results" + exit 1 + fi
🧹 Nitpick comments (1)
.github/workflows/aquasec_repository_scan.yml (1)
74-77: Add explicit check for empty scan results after HTTP validation.Once HTTP status validation is added (see previous comment), add an explicit empty-content check as a secondary safety net.
Apply this diff after HTTP validation:
+ if [ -z "$SCAN_RESULTS" ]; then + echo "Scan results are empty" + exit 1 + fi
| AUTH_RESPONSE=$(curl -s -X "$METHOD" "$AUTH_ENDPOINT" \ | ||
| -H "Content-Type: application/json" \ | ||
| -H "X-API-Key: $AQUA_KEY" \ | ||
| -H "X-Signature: $SIGNATURE" \ | ||
| -H "X-Timestamp: $TIMESTAMP" \ | ||
| -d "$POST_BODY") |
There was a problem hiding this comment.
Add timeout to AquaSec authentication curl call.
The auth request to AquaSec (lines 48–53) lacks a timeout. If the network hangs or the endpoint is unreachable, the step will block indefinitely. Add --max-time 10 to curl.
Apply this diff:
- AUTH_RESPONSE=$(curl -s -X "$METHOD" "$AUTH_ENDPOINT" \
+ AUTH_RESPONSE=$(curl -s --max-time 10 -X "$METHOD" "$AUTH_ENDPOINT" \
-H "Content-Type: application/json" \
-H "X-API-Key: $AQUA_KEY" \
-H "X-Signature: $SIGNATURE" \
-H "X-Timestamp: $TIMESTAMP" \
-d "$POST_BODY")📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| AUTH_RESPONSE=$(curl -s -X "$METHOD" "$AUTH_ENDPOINT" \ | |
| -H "Content-Type: application/json" \ | |
| -H "X-API-Key: $AQUA_KEY" \ | |
| -H "X-Signature: $SIGNATURE" \ | |
| -H "X-Timestamp: $TIMESTAMP" \ | |
| -d "$POST_BODY") | |
| AUTH_RESPONSE=$(curl -s --max-time 10 -X "$METHOD" "$AUTH_ENDPOINT" \ | |
| -H "Content-Type: application/json" \ | |
| -H "X-API-Key: $AQUA_KEY" \ | |
| -H "X-Signature: $SIGNATURE" \ | |
| -H "X-Timestamp: $TIMESTAMP" \ | |
| -d "$POST_BODY") |
🤖 Prompt for AI Agents
.github/workflows/aquasec_repository_scan.yml around lines 48 to 53: the curl
call used for AquaSec authentication lacks a timeout which can cause the step to
hang indefinitely if the network or endpoint is unresponsive; add the curl
option --max-time 10 to the command so the request will fail after 10 seconds,
keeping other headers and payload intact.
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (4)
.github/workflows/aquasec_repository_scan.yml (4)
47-52: Add timeout to AquaSec authentication curl request.The curl call lacks a timeout. If the AquaSec endpoint is unresponsive, the step will block indefinitely. Add
--max-time 10to ensure the request fails after 10 seconds.Apply this diff:
- AUTH_RESPONSE=$(curl -s -X "$METHOD" "$AUTH_ENDPOINT" \ + AUTH_RESPONSE=$(curl -s --max-time 10 -X "$METHOD" "$AUTH_ENDPOINT" \ -H "Content-Type: application/json" \ -H "X-API-Key: $AQUA_KEY" \ -H "X-Signature: $SIGNATURE" \ -H "X-Timestamp: $TIMESTAMP" \ -d "$POST_BODY")
78-79: Export scan results via GITHUB_OUTPUT for downstream job access.The workflow outputs scan results to stdout but does not export them via
GITHUB_OUTPUT. As described in the PR objectives, results should be emitted so downstream jobs can consume them. Add a multi-line output block.Apply this diff:
echo "=== Scan Results ===" echo "$SCAN_RESULTS" | jq '.' + echo "scan_results<<EOF" >> $GITHUB_OUTPUT + echo "$SCAN_RESULTS" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT
32-44: Mask AQUA_SECRET before use in HMAC calculation.The
AQUA_SECRETis used directly in the openssl command (line 44) without masking. If the step fails or debug logging is enabled, the secret could be exposed in workflow logs. Mask it immediately before the HMAC calculation.Apply this diff to mask the secret:
STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}" + echo "::add-mask::$AQUA_SECRET" SIGNATURE=$(echo -n "$STRING_TO_SIGN" | openssl dgst -sha256 -hmac "$AQUA_SECRET" -hex | sed 's/.*= //g')
68-71: Fix syntax error in curl URL and add timeout and HTTP status validation.Syntax Error: Line 69 is missing a closing quote after the URL parameter. The URL will be malformed, causing curl to fail.
Reliability Issues: The curl request lacks timeout and HTTP status validation. If AquaSec returns an error (4xx/5xx), it will be treated as valid results, potentially masking failures.
Apply this diff to fix the syntax error and add timeout/status validation:
SCAN_RESULTS_ENDPOINT="https://eu-central-1.edge.cloud.aquasec.com/codesec/api/v1/scans/results" - SCAN_RESULTS=$(curl -s -X GET \ - "$SCAN_RESULTS_ENDPOINT?repositoryIds=${{ github.repository_id }} \ + SCAN_RESPONSE=$(curl -s -w "\n%{http_code}" --max-time 10 -X GET \ + "$SCAN_RESULTS_ENDPOINT?repositoryIds=${{ github.repository_id }}" \ -H "Authorization: Bearer $BEARER_TOKEN" \ -H "Accept: application/json") + + SCAN_RESULTS=$(echo "$SCAN_RESPONSE" | head -n -1) + HTTP_STATUS=$(echo "$SCAN_RESPONSE" | tail -n 1) + + if [ "$HTTP_STATUS" != "200" ]; then + echo "AquaSec API returned HTTP status $HTTP_STATUS" + echo "Failed to retrieve scan results" + exit 1 + fi
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/aquasec_repository_scan.yml(1 hunks)
🔇 Additional comments (3)
.github/workflows/aquasec_repository_scan.yml (3)
20-23: LGTM — checkout is properly configured.The upgrade to
actions/checkout@v6addresses the prior review feedback, and disablingpersist-credentialsfollows security best practices.
8-12: Permissions are appropriately scoped.The permissions block correctly enables the actions needed (contents: read for checkout, write permissions for security events, PR comments, etc.) while maintaining least-privilege principles.
1-17: Workflow trigger and job configuration are appropriate.The workflow correctly triggers on both manual dispatch and pull requests, with a clear job name and appropriate runner selection.
| RESPONSE_STATUS=$(echo "$AUTH_RESPONSE" | jq -r '.status') | ||
|
|
||
| if [ "$RESPONSE_STATUS" = "200" ]; then | ||
| echo "Login successful." | ||
| BEARER_TOKEN=$(echo "$AUTH_RESPONSE" | jq -r '.data') | ||
| echo "::add-mask::$BEARER_TOKEN" | ||
| else | ||
| echo "Login failed" | ||
| exit 1 | ||
| fi |
There was a problem hiding this comment.
Add error handling for jq parsing of authentication response.
The jq call on line 54 assumes the response is valid JSON. If jq fails or the response is malformed, the error is silent. Additionally, if .status or .data fields are missing, the behavior is undefined. Add explicit error handling.
Apply this diff:
RESPONSE_STATUS=$(echo "$AUTH_RESPONSE" | jq -r '.status' 2>/dev/null)
+ if [ $? -ne 0 ] || [ -z "$RESPONSE_STATUS" ]; then
+ echo "Failed to parse AquaSec authentication response"
+ echo "Response: $AUTH_RESPONSE"
+ exit 1
+ fi
if [ "$RESPONSE_STATUS" = "200" ]; then
echo "Login successful."
BEARER_TOKEN=$(echo "$AUTH_RESPONSE" | jq -r '.data' 2>/dev/null)
+ if [ $? -ne 0 ] || [ -z "$BEARER_TOKEN" ]; then
+ echo "Failed to extract bearer token from response"
+ exit 1
+ fi
echo "::add-mask::$BEARER_TOKEN"
else
echo "Login failed"
exit 1
fiCommittable suggestion skipped: line range outside the PR's diff.
🤖 Prompt for AI Agents
.github/workflows/aquasec_repository_scan.yml around lines 54 to 63: the script
assumes AUTH_RESPONSE is valid JSON and blindly extracts .status and .data with
jq; add robust error handling by first ensuring jq succeeds (check jq exit code
and/or use set -o pipefail before pipelines), validate that RESPONSE_STATUS is
non-empty and numeric (or exactly "200") and that BEARER_TOKEN is non-empty
before masking/using it, and on any jq parse failure or missing field print
AUTH_RESPONSE (or a truncated safe snippet), log a clear error message, and exit
with non-zero status; ensure any jq invocation uses -e or tests for null to
detect missing fields so malformed responses don't silently proceed.
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (5)
.github/workflows/aquasec_repository_scan.yml (5)
78-79: Export scan results viaGITHUB_OUTPUTfor downstream job access.The workflow echoes scan results to stdout but does not emit them as a GitHub Actions output. Per the PR description, the workflow should "emit the scan JSON via GITHUB_OUTPUT" so downstream jobs can consume it.
Apply this diff to export the results:
echo "=== Scan Results ===" echo "$SCAN_RESULTS" | jq '.' + + # Export as multi-line output to preserve JSON formatting + { + echo "scan_results<<EOF" + echo "$SCAN_RESULTS" + echo "EOF" + } >> $GITHUB_OUTPUT
54-63: Add explicit error handling for jq parsing of authentication response.The jq calls assume the response is valid JSON. If jq fails or fields are missing, errors are silent. Validate that jq parsing succeeds and that extracted values are non-empty before use.
Apply this diff:
RESPONSE_STATUS=$(echo "$AUTH_RESPONSE" | jq -r '.status') + if [ $? -ne 0 ] || [ -z "$RESPONSE_STATUS" ]; then + echo "Failed to parse AquaSec authentication response" + exit 1 + fi if [ "$RESPONSE_STATUS" = "200" ]; then echo "Login successful." BEARER_TOKEN=$(echo "$AUTH_RESPONSE" | jq -r '.data') + if [ $? -ne 0 ] || [ -z "$BEARER_TOKEN" ]; then + echo "Failed to extract bearer token from response" + exit 1 + fi echo "::add-mask::$BEARER_TOKEN" else echo "Login failed" exit 1 fi
44-44: MaskAQUA_SECRETbefore use to prevent exposure in logs.The
AQUA_SECRETis used directly in the HMAC calculation without masking. If the step fails or debug logging is enabled, the secret could be exposed in workflow logs. Mask it immediately before the shell command that references it.Apply this diff:
STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}" + echo "::add-mask::$AQUA_SECRET" SIGNATURE=$(echo -n "$STRING_TO_SIGN" | openssl dgst -sha256 -hmac "$AQUA_SECRET" -hex | sed 's/.*= //g')
47-52: Add timeout and error handling to AquaSec authentication curl call.The curl request lacks both a timeout (risking indefinite hangs) and explicit error handling. If curl fails or the endpoint is unreachable, the failure is not caught until a downstream check on the token.
Apply this diff to add timeout and error handling:
- AUTH_RESPONSE=$(curl -s -X "$METHOD" "$AUTH_ENDPOINT" \ + AUTH_RESPONSE=$(curl -s --max-time 10 -w "\n%{http_code}" -X "$METHOD" "$AUTH_ENDPOINT" \ -H "Content-Type: application/json" \ -H "X-API-Key: $AQUA_KEY" \ -H "X-Signature: $SIGNATURE" \ -H "X-Timestamp: $TIMESTAMP" \ -d "$POST_BODY") + + HTTP_STATUS=$(echo "$AUTH_RESPONSE" | tail -n 1) + AUTH_RESPONSE=$(echo "$AUTH_RESPONSE" | head -n -1) + + if [ "$HTTP_STATUS" != "200" ]; then + echo "AquaSec authentication failed with HTTP status $HTTP_STATUS" + exit 1 + fi
68-76: Add timeout and HTTP status validation to scan results retrieval.The curl request (after fixing the syntax error above) lacks a timeout and HTTP status validation. If AquaSec returns a 4xx/5xx error, it will be treated as valid results, masking the failure. Additionally, no timeout is configured, risking indefinite waits.
Apply this diff to add timeout and HTTP status validation:
SCAN_RESULTS=$(curl -s -w "\n%{http_code}" --max-time 10 -X GET \ "$SCAN_RESULTS_ENDPOINT?repositoryIds=${{ github.repository_id }}" \ -H "Authorization: Bearer $BEARER_TOKEN" \ -H "Accept: application/json") + SCAN_HTTP_STATUS=$(echo "$SCAN_RESULTS" | tail -n 1) + SCAN_RESULTS=$(echo "$SCAN_RESULTS" | head -n -1) + + if [ "$SCAN_HTTP_STATUS" != "200" ]; then + echo "AquaSec API returned HTTP status $SCAN_HTTP_STATUS" + exit 1 + fi + if [ -z "$SCAN_RESULTS" ]; then echo "Failed to retrieve scan results" exit 1 fi
WORK IN PROGRESS
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.