Skip to content
/ ossar-action Public
forked from github/ossar-action

Run multiple open source security static analysis tools without the added complexity with OSSAR (Open Source Static Analysis Runner).

License

MIT license
0 stars 27 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

davidknise/ossar-action

BranchesTags
 
 

Repository files navigation

github/ossar-action

OSSAR windows-latest
OSSAR ubuntu-latest

Run open source security static analysis tools without the added complexity with OSSAR (Open Source Static Analysis Runner).

Limitations

The OSSAR action is currently in beta and runs on the windows-latest queue, as well as Windows self hosted agents. ubuntu-latest support coming soon.

Overview

This action runs the Microsoft Security Code Analysis CLI for security analysis by:

  • Installing the Microsoft Security Code Analysis CLI
  • Installing the latest policy or referencing the local policy/github.gdnpolicy file
  • Installing the latest open source tools
  • Automatic or user-provided configuration of static analysis tools
  • Execution of a full suite of static analysis tools
  • Normalized processing of results into the SARIF format
  • Exports a single SARIF file which can be uploaded via the github/codeql-action/upload-sarif action

Open Source Tools

The following table documents what tools are currently run by this action (if applicable or configured) and the language(s) or artifact(s) they can analyze.

Name Analysis Coverage
Bandit python
BinSkim binary - Windows, ELF
ESlint JavaScript

To request a tool be integrated, please file a new a GitHub issue in this repo.

Usage

See action.yml

Basic

Run OSSAR with the default policy and recommended tools.

steps:
- uses: actions/checkout@v2
- name: Run OSSAR
  uses: github/ossar-action@v1
  id: ossar
- name: Upload results to Security tab
  uses: github/codeql-action/upload-sarif@v1
  with:
    sarif_file: ${{ steps.ossar.outputs.sarifFile }}

Note: The Microsoft Security Code Analysis CLI is built with dotnet v3.1.201. A version greater than or equal to v3.1.201 of dotnet must be installed on the runner in order to run this action. GitHub hosted runners already have a compatible version of dotnet installed. To ensure a compatible version of dotnet is installed on a self-hosted runner, please configure the actions/setup-dotnet action.

- uses: actions/setup-dotnet@v1
  with:
    dotnet-version: '3.1.x'

Upload Results to the Security tab

To upload results to the Security tab of your repo, run the github/codeql-action/upload-sarif action immediately after running OSSAR. OSSAR sets the action output variable sarifFile to the path of a single SARIF file that can be uploaded to this API.

- name: Upload results to Security tab
  uses: github/codeql-action/upload-sarif@v1
  with:
    sarif_file: ${{ steps.ossar.outputs.sarifFile }}

More Information

Please see the wiki tab for more information and the Frequently Asked Questions (FAQ) page.

Report Issues

Please file a GitHub issue in this repo. To help us investigate the issue, please include a description of the problem, a link to your workflow run (if public), and/or logs from the OSSAR's action output.

License

The scripts and documentation in this project are released under the MIT License

Contributing

Contributions are welcome! See the Contributor's Guide.

About

Run multiple open source security static analysis tools without the added complexity with OSSAR (Open Source Static Analysis Runner).

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages

  • JavaScript 67.8%
  • TypeScript 32.2%