Source Code Artifact
Target component that downloads and extracts archived source code from various sources including HTTP endpoints and S3-compatible storage.
The component supports .zip, .tar, .tar.gz, .apk and .ipa archive formats from multiple protocols and automatically extracts the contents for analysis by downstream components.
Supported Sources
The component can download archives from:
HTTP/HTTPS URLs:
https://github.com/example/repo/archive/refs/heads/main.zip
S3-compatible URLs:
s3://my-bucket/my-archive.tar
gs://my-bucket/my-archive.tar.gz
Supported Archive Formats
- ZIP:
.zipfiles - TAR:
.tarfiles - TAR.GZ:
.tar.gzand.tgzfiles - APK:
.apkfiles - 🍺 IPA:
.ipafiles
How to use
Open-Source
- Add the component to the workflow:
# file ./examples/source-code-artifact/workflow.yml
description: Downloads and unpacks a repository and runs go scanners on it
name: source-code-artifact
components:
- component: ghcr.io/smithy-security/smithy/manifests/components/targets/source-code-artifact:v0.1.0
- component: ghcr.io/smithy-security/smithy/manifests/components/scanners/gosec:v1.4.0
- component: ghcr.io/smithy-security/smithy/manifests/components/enrichers/custom-annotation:v0.2.0
- component: ghcr.io/smithy-security/smithy/manifests/components/reporters/json-logger:v1.1.0
- Configure the run parameters of the component in the overrides file:
# file: ./examples/source-code-artifact/overrides.yaml
source-code-artifact:
- name: "artifact_url"
type: "string"
value: "https://github.com/0c34/govwa/archive/refs/heads/master.zip"
- name: "artifact_reference"
type: "string"
value: "master"
- name: "artifact_registry_region"
type: "string"
value: "$artifact_registry_region"
- name: "auth_id"
type: "string"
value: "$auth_id"
- name: "auth_secret"
type: "string"
value: "$auth_secret"
SaaS
- In the Smithy UI, open the page to create a new workflow.
- Find the Source Code Artifact component in the Targets dropdown.
- Fill the form on the right
Options
You can configure this component with the following options:
| Option Name | Description | Default | Type |
|---|---|---|---|
| [Required] artifact_url | URL to the archive file | String | |
| [Required] artifact_reference | Branch, tag, or reference identifier | String | |
| artifact_extension | Extension of the artifact | String | |
| artifact_registry_region | AWS region for S3-compatible endpoints | String | |
| auth_id | Auth ID for authentication | String | |
| auth_secret | Secret for authentication | String |
Note:
- For S3-compatible endpoints,
auth_idandauth_secretare used as Access Key ID and Access Key secret. - For HTTP endpoints,
auth_idandauth_secretare used as username and password for basic authentication.
Check out guidance here to correctly set-up the options.