/ossar-action

Run multiple open source security static analysis tools without the added complexity with OSSAR (Open Source Static Analysis Runner).

Primary LanguageJavaScriptMIT LicenseMIT

github/ossar-action

OSSAR windows-latest
OSSAR ubuntu-latest

Run open source security static analysis tools without the added complexity with OSSAR (Open Source Static Analysis Runner).

Limitations

The OSSAR action is currently in beta and runs on the windows-latest queue, as well as Windows self hosted agents. ubuntu-latest support coming soon.

Overview

This action runs the Microsoft Security DevOps CLI for security analysis by:

  • Installing the Microsoft Security DevOps CLI
  • Installing the latest policy or referencing the local policy/github.gdnpolicy file
  • Installing the latest open source tools
  • Automatic or user-provided configuration of static analysis tools
  • Execution of a full suite of static analysis tools
  • Normalized processing of results into the SARIF format
  • Exports a single SARIF file which can be uploaded via the github/codeql-action/upload-sarif action

Open Source Tools

The following table documents what tools are currently run by this action (if applicable or configured) and the language(s) or artifact(s) they can analyze.

Name Analysis Coverage
Bandit python
BinSkim binary - Windows, ELF
ESlint JavaScript

To request a tool be integrated, please file a new a GitHub issue in this repo.

Usage

See action.yml

Basic

Run OSSAR with the default policy and recommended tools.

steps:
- uses: actions/checkout@v2
- name: Run OSSAR
  uses: github/ossar-action@v1
  id: ossar
- name: Upload results to Security tab
  uses: github/codeql-action/upload-sarif@v1
  with:
    sarif_file: ${{ steps.ossar.outputs.sarifFile }}

Note: The Microsoft Security DevOps CLI is built with net6.0. A version greater than or equal to net6.0 of dotnet must be installed on the runner in order to run this action. GitHub hosted runners already have a compatible version of dotnet installed. To ensure a compatible version of dotnet is installed on a self-hosted runner, please configure the actions/setup-dotnet action.

- uses: actions/setup-dotnet@v1
  with:
    #     dotnet-version: '6.0.x'

Upload Results to the Security tab

To upload results to the Security tab of your repo, run the github/codeql-action/upload-sarif action immediately after running OSSAR. OSSAR sets the action output variable sarifFile to the path of a single SARIF file that can be uploaded to this API.

- name: Upload results to Security tab
  uses: github/codeql-action/upload-sarif@v1
  with:
    sarif_file: ${{ steps.ossar.outputs.sarifFile }}

More Information

Please see the wiki tab for more information and the Frequently Asked Questions (FAQ) page.

Report Issues

Please file a GitHub issue in this repo. To help us investigate the issue, please include a description of the problem, a link to your workflow run (if public), and/or logs from the OSSAR's action output.

License

The scripts and documentation in this project are released under the MIT License

Contributing

Contributions are welcome! See the Contributor's Guide.