Run open source security static analysis tools without the added complexity with OSSAR (Open Source Static Analysis Runner).
The OSSAR action is currently in beta and runs on the windows-latest
queue, as well as Windows self hosted agents. ubuntu-latest
support coming soon.
This action runs the Microsoft Security DevOps CLI for security analysis by:
- Installing the Microsoft Security DevOps CLI
- Installing the latest policy or referencing the local
policy/github.gdnpolicy
file - Installing the latest open source tools
- Automatic or user-provided configuration of static analysis tools
- Execution of a full suite of static analysis tools
- Normalized processing of results into the SARIF format
- Exports a single SARIF file which can be uploaded via the
github/codeql-action/upload-sarif
action
The following table documents what tools are currently run by this action (if applicable or configured) and the language(s) or artifact(s) they can analyze.
Name | Analysis Coverage |
---|---|
Bandit | python |
BinSkim | binary - Windows, ELF |
ESlint | JavaScript |
To request a tool be integrated, please file a new a GitHub issue in this repo.
See action.yml
Run OSSAR with the default policy and recommended tools.
steps:
- uses: actions/checkout@v2
- name: Run OSSAR
uses: github/ossar-action@v1
id: ossar
- name: Upload results to Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.ossar.outputs.sarifFile }}
Note: The Microsoft Security DevOps CLI is built with net6.0. A version greater than or equal to net6.0 of dotnet must be installed on the runner in order to run this action. GitHub hosted runners already have a compatible version of dotnet installed. To ensure a compatible version of dotnet is installed on a self-hosted runner, please configure the actions/setup-dotnet action.
- uses: actions/setup-dotnet@v1
with:
# dotnet-version: '6.0.x'
To upload results to the Security tab of your repo, run the github/codeql-action/upload-sarif
action immediately after running OSSAR. OSSAR sets the action output variable sarifFile
to the path of a single SARIF file that can be uploaded to this API.
- name: Upload results to Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.ossar.outputs.sarifFile }}
Please see the wiki tab for more information and the Frequently Asked Questions (FAQ) page.
Please file a GitHub issue in this repo. To help us investigate the issue, please include a description of the problem, a link to your workflow run (if public), and/or logs from the OSSAR's action output.
The scripts and documentation in this project are released under the MIT License
Contributions are welcome! See the Contributor's Guide.