Skip to main content

Source Code Artifact

Target component that downloads and extracts archived source code from various sources including HTTP endpoints and S3-compatible storage.

The component supports .zip, .tar, and .tar.gz archive formats from multiple protocols and automatically extracts the contents for analysis by downstream components.

Supported Sources

The component can download archives from:

HTTP/HTTPS URLs:

https://github.com/example/repo/archive/refs/heads/main.zip

S3-compatible URLs:

s3://my-bucket/my-archive.tar
gs://my-bucket/my-archive.tar.gz

Supported Archive Formats

  • ZIP: .zip files
  • TAR: .tar files
  • TAR.GZ: .tar.gz and .tgz files

How to use

Open-Source

  1. Add the component to the workflow:
# file ./examples/source-code-artifact/workflow.yml
description: Downloads and unpacks a repository and runs go scanners on it
name: source-code-artifact
components:
- component: file://components/targets/source-code-artifact/component.yaml
- component: ghcr.io/smithy-security/smithy/manifests/components/scanners/gosec:v1.4.0
- component: ghcr.io/smithy-security/smithy/manifests/components/enrichers/custom-annotation:v0.2.0
- component: ghcr.io/smithy-security/smithy/manifests/components/reporters/json-logger:v1.1.0
  1. Configure the run parameters of the component in the overrides file:
# file: ./examples/source-code-artifact/overrides.yaml
source-code-artifact:
- name: "artifact_url"
type: "string"
value: "https://github.com/0c34/govwa/archive/refs/heads/master.zip"
- name: "artifact_reference"
type: "string"
value: "master"
- name: "artifact_registry_region"
type: "string"
value: "$artifact_registry_region"
- name: "auth_id"
type: "string"
value: "$auth_id"
- name: "auth_secret"
type: "string"
value: "$auth_secret"

SaaS

  1. In the Smithy UI, open the page to create a new workflow.
  2. Find the Source Code Artifact component in the Targets dropdown.
  3. Fill the form on the right

Options

You can configure this component with the following options:

Option NameDescriptionDefaultType
[Required] artifact_urlURL to the archive fileString
[Required] artifact_referenceBranch, tag, or reference identifierString
artifact_extensionExtension of the artifactString
artifact_registry_regionAWS region for S3-compatible endpointsString
auth_idAuth ID for authenticationString
auth_secretSecret for authenticationString

Note:

  • For S3-compatible endpoints, auth_id and auth_secret are used as Access Key ID and Access Key secret.
  • For HTTP endpoints, auth_id and auth_secret are used as username and password for basic authentication.

Check out guidance here to correctly set-up the options.