WPScan with GitHub Actions

WTFender/wpscan-action uses wpscan, a well-known CLI for scanning WordPress sites and plugins. The primary advantage of running this utility in GitHub Actions is not needing to setup a ruby environment or maintain a server - ideal for small tech teams.

Additionally, WPScan offers free API tokens for enriching scan results with the latest WordPress vulnerability data. This API token should have enough credits for a weekly scan against one WordPress site, but usage varies based on the number of site plugins.

GitHub Actions Workflow Example

Run a weekly WordPress scan and send the results to a Slack webhook.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
on:
  schedule:
    - cron:  0 10 * * 1 # Monday at 10 UTC
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: WTFender/wpscan-action@v1.0
        with:
          id: wpscan
          url: 'https://WORDPRESS_SITE/'
          token: ${{ secrets.WPSCAN_TOKEN }}
          webhook: ${{ secrets.SLACK_WEBHOOK }}

.

Optionally, scan results can be referenced in a follow on GitHub Actions step with the step ID and output variable names.

1
2
3
run: |
    echo ${{ steps.wpscan.outputs.result }}    # JSON scan results
    echo ${{ steps.wpscan.outputs.resultb64 }} # JSON scan results, base64 encoded    

Try it for free on the GitHub Actions Marketplace.

Comments

comments powered by Disqus