Skip to content
arrow-up-circle

GitHub Action

Data Theorem API Secure

v1.0.0 Latest version

Data Theorem API Secure

arrow-up-circle

Data Theorem API Secure

Request an asset scan from Data Theorem.

Installation

Copy and paste the following snippet into your .yml file.

              

- name: Data Theorem API Secure

uses: datatheorem/[email protected]

Learn more about this action in datatheorem/datatheorem-api-secure-action

Choose a version

API Secure

Data Theorem's API Secure will scan your RESTful APIs for security issues, including, but not limited to, SQL injection, SSRF, XSS, and PII/PHI data publicly accessible on the Internet. More information can be found here:

https://www.datatheorem.com/products/api-secure

Valid Data Theorem API key required.

Set your Data Theorem API key as a secret

To find your Data Theorem API key, connect to https://www.securetheorem.com/mobile/sdlc/results_api_access using your Data Theorem account.
Create an encrypted variable named DT_RESULTS_API_KEY in your Github repository.

For more information, see Github Encrypted secrets.

Find your RESTful API's ID

Go to your API Secure inventory in the Data Theorem portal and find the RESTful API you wish to scan.

Retrieve the RESTful API’s ID from the url of the RESTful API’s page that looks like:
https://securetheorem.com/api/restful-apis/<asset_id>

Optional scan configuration

Optionally, the following scan configuration settings can be specified:

should_perform_pii_analysis: <true/false>
If set to true, the API responses received by the scanner will be analyzed for personally identifiable information.

should_perform_sql_injection_scan: <true/false>
If set to true, the API’s parameters will be scanned for SQL injection issues.
This type of scan requires sending a lot of requests to the API, it will significantly increase the load on the API, and could potentially disrupt it.

Sample usage

name: Request a Data Theorem API Secure scan

on:
  push:
    branches: [ main ]

jobs:
  scan:
    name: scan RESTful API for security issues
    runs-on: ubuntu-20.04
    steps:
      - name: Request Data Theorem API Secure scan
        uses: datatheorem/[email protected]
        with:
          dt_results_api_key: ${{ secrets.DT_RESULTS_API_KEY }}
          asset_id: "15255982-380f-4dae-8fed-b06fc6a82566"
          asset_base_url: "https://<asset_base_url>/"
          # Optional scan configuration
          should_perform_pii_analysis: false
          should_perform_sql_injection_scan: false