Skip to content

mavasani/dotnet-analyzers-action

BranchesTags

Repository files navigation

github/ossar-action

OSSAR windows-latest
OSSAR ubuntu-latest

Run open source security static analysis tools without the added complexity with OSSAR (Open Source Static Analysis Runner).

Limitations

The OSSAR action is currently in beta and runs on the windows-latest queue, as well as Windows self hosted agents. ubuntu-latest support coming soon.

Overview

This action runs the Microsoft Security Code Analysis CLI for security analysis by:

  • Installing the Microsoft Security Code Analysis CLI
  • Installing the latest policy or referencing the local policy/github.gdnpolicy file
  • Installing the latest open source tools
  • Automatic or user-provided configuration of static analysis tools
  • Execution of a full suite of static analysis tools
  • Normalized processing of results into the SARIF format
  • Exports a single SARIF file which can be uploaded via the github/codeql-action/upload-sarif action

Usage

See action.yml

Basic

Run OSSAR with the default policy and recommended tools.

steps:
- uses: actions/checkout@v2
- name: Run OSSAR
  uses: github/ossar-action@v1
  id: ossar
- name: Upload results to Security tab
  uses: github/codeql-action/upload-sarif@v1
  with:
    sarif_file: ${{ steps.ossar.outputs.sarifFile }}

Note: The Microsoft Security Code Analysis CLI is built with dotnet v3.1.201. A version greater than or equal to v3.1.201 of dotnet must be installed on the runner in order to run this action. GitHub hosted runners already have a compatible version of dotnet installed. To ensure a compatible version of dotnet is installed on a self-hosted runner, please configure the actions/setup-dotnet action.

- uses: actions/setup-dotnet@v1
  with:
    dotnet-version: '3.1.x'

Upload Results to the Security tab

To upload results to the Security tab of your repo, run the github/codeql-action/upload-sarif action immediately after running OSSAR. OSSAR sets the action output variable sarifFile to the path of a single SARIF file that can be uploaded to this API.

- name: Upload results to Security tab
  uses: github/codeql-action/upload-sarif@v1
  with:
    sarif_file: ${{ steps.ossar.outputs.sarifFile }}

Open Source Tools

Name Language
Bandit python
BinSkim binary - Windows, ELF
ESlint JavaScript

More Information

Please see the wiki tab for more information and the Frequently Asked Questions (FAQ) page.

Report Issues

Please file a GitHub issue in this repo. To help us investigate the issue, please include a description of the problem, a link to your workflow run (if public), and/or logs from the OSSAR's action output.

License

The scripts and documentation in this project are released under the MIT License

Contributing

Contributions are welcome! See the Contributor's Guide.

About

Github action to run analyzers shipping in .NET SDK

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Security policy

Security policy
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages