-
Notifications
You must be signed in to change notification settings - Fork 27
Home
Open Source Static Analysis Runner (OSSAR) runs multiple open source security static analysis tools without the added complexity. It leverages the Microsoft Security Code Analysis (MSCA) engine, detailed below.
Microsoft Security Code Analysis (MSCA) is a command line application which integrates static analysis tools into the development cycle. MSCA installs, configures and runs the latest versions of static analysis tools (including, but not limited to, SDL/security and compliance tools). MSCA is data-driven with portable configurations that enable deterministic execution across multiple environments. For tools that output results in or MSCA can convert their results to SARIF, MSCA imports into a normalized file database for seamlessly reporting and responding to results across tools, such as forcing build breaks.
Run locally. Run remotely.
The Microsoft.Security.CodeAnalysis.Cli is available for download from nuget.org.
To easily access it from the command line, add the tools
directory of the nuget package to your path. It can then be accessed via it's codename guardian
through either the shell or cmd launchers, decided by your operating system.
Note: [..]
blocks indicate optional parameters.
Initialize MSCA in your repo
guardian init
Run MSCA with tools configured by the Microsoft policy (default experience)
guardian run [-p Microsoft]
Run MSCA with tools configured specifically for GitHub
guardian run -p GitHub
Each stage of guardian run
can be executed independently. To see what commands are available, check the command line help.
See command line help
guardian
guardian help
guardian --help
Interactively configure a tool
guardian configure -t binskim
Run the tool with the custom configuration
guardian run -c binskim