Skip to main content
The following guide walks through how to set up Github Actions to run both SCA and SAST scans using the StartLeft extension available on the Github Marketplace. https://github.com/marketplace/actions/sls-pipeline-scanner

Setup the required secrets.

  1. Navigate to Repo Settings -> Secrets and Variables -> Actions
  2. Select Manage Organization Secrets then Add organization secret and add the following:
  • SLS_CLIENT_ID & SLS_CLIENT_SECRET - used to authenticate to the StartLeft Container Registry.
  1. Then add a New repository secret
  • SLS_SCAN_KEY - The Scan Key can be found under Product Data Sources -> Start Left Scanner -> Scan Key (It is also available on the Asset details page for the repository.)

Setup the Github Action

  1. Create the sls.yml under Actions -> New Workflow then choose set up a workflow yourself
  2. Replace main.yml with a meaningful name eg. sls-scan.yml
  3. Paste the script below into the file contents:
# Name of this GitHub Actions workflow.
name: StartLeft

on:
  # Scan on-demand through GitHub Actions interface:
  workflow_dispatch: {}
  # Scan mainline branches and report all findings:
  #push:
    #branches: ["master", "main"]
  # Schedule the CI job (this method uses cron syntax):
  #schedule:
    #- cron: '20 23 * * 1' # Sets schedule to scan every Monday at 23:20 UTC.
    # It is recommended to change the schedule to a random time.

permissions:
  contents: read

jobs:
  sls:
    # User definable name of this GitHub Actions job.
    name: sls/scan
    # If you are self-hosting, change the following `runs-on` value: 
    runs-on: ubuntu-latest

    # Skip any PR created by dependabot to avoid permission issues:
    if: (github.actor != 'dependabot[bot]')

    steps:
      # Fetch project source with GitHub Actions Checkout.
      - uses: actions/checkout@v4
        with:
          # Set the depth to 0 to fetch all history for commit analysis:
          fetch-depth: 0
          # Set the following to true if you want to include submodules in the scan:
          #submodules: true

      - name: Pull and Run SLS Scanner
        uses: tauruseer/[email protected]
        with:
          scanKey: ${{ secrets.SLS_SCAN_KEY }}
          username: ${{ secrets.SLS_CLIENT_ID }}
          password: ${{ secrets.SLS_CLIENT_SECRET }}
          runSCA: 'true'
          runSAST: 'true'
          runGitleaks: 'true'
  1. Commit changes.
  2. The scan job starts automatically upon detecting the committed sls.yml file.
You can toggle specific scan types by adjusting the the runSCA or runSAST options.