Skip to content

datatheorem/datatheorem-api-secure-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 

Repository files navigation

API Secure

Data Theorem's API Secure will scan your RESTful APIs for security issues, including, but not limited to, SQL injection, SSRF, XSS, and PII/PHI data publicly accessible on the Internet. More information can be found here:

https://www.datatheorem.com/products/api-secure

Valid Data Theorem API key required.

Set your Data Theorem API key as a secret

To find your Data Theorem API key, connect to https://www.securetheorem.com/mobile/sdlc/results_api_access using your Data Theorem account.
Create an encrypted variable named DT_RESULTS_API_KEY in your Github repository.

For more information, see Github Encrypted secrets.

Find your RESTful API's ID

Go to your API Secure inventory in the Data Theorem portal and find the RESTful API you wish to scan.

Retrieve the RESTful API’s ID from the url of the RESTful API’s page that looks like:
https://securetheorem.com/api/restful-apis/<asset_id>

Optional scan configuration

Optionally, the following scan configuration settings can be specified:

should_perform_pii_analysis: <true/false>
If set to true, the API responses received by the scanner will be analyzed for personally identifiable information.

should_perform_sql_injection_scan: <true/false>
If set to true, the API’s parameters will be scanned for SQL injection issues.
This type of scan requires sending a lot of requests to the API, it will significantly increase the load on the API, and could potentially disrupt it.

Sample usage

name: Request a Data Theorem API Secure scan

on:
  push:
    branches: [ main ]

jobs:
  scan:
    name: scan RESTful API for security issues
    runs-on: ubuntu-20.04
    steps:
      - name: Request Data Theorem API Secure scan
        uses: datatheorem/[email protected]
        with:
          dt_results_api_key: ${{ secrets.DT_RESULTS_API_KEY }}
          asset_id: "15255982-380f-4dae-8fed-b06fc6a82566"
          asset_base_url: "https://<asset_base_url>/"
          # Optional scan configuration
          should_perform_pii_analysis: false
          should_perform_sql_injection_scan: false