The Wayback Machine - https://web.archive.org/web/20201008183710/https://github.com/github/ossar-action
Skip to content
Sign up
Sign in Sign up

/ ossar-action

Run multiple open source security static analysis tools without the added complexity with OSSAR (Open Source Static Analysis Runner).

MIT License
40 stars 4 forks
Star
Watch
master
4 branches 1 tag
Go to file
Code
Clone

Use Git or checkout with SVN using the web URL.

Latest commit

@davidknise
davidknise Merge pull request #14 from sampart/use-github-terminology
49db941 Oct 6, 2020
Merge pull request #14 from sampart/use-github-terminology 
Use Actions terminology when talking about Actions runners
49db941

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
.gdn
GitHub OSSAR Action initial commit.
Jun 24, 2020
.github/workflows
Use Actions terminology when talking about Actions runners
Oct 1, 2020
lib
Typo fix for Microsoft in the installer workflow
Jul 24, 2020
node_modules
GitHub OSSAR Action initial commit.
Jun 24, 2020
policy
GitHub OSSAR Action initial commit.
Jun 24, 2020
sample
GitHub OSSAR Action initial commit.
Jun 24, 2020
src
Typo fix for Microsoft in the installer workflow
Jul 24, 2020
.gitignore
GitHub OSSAR Action initial commit.
Jun 24, 2020
CODE_OF_CONDUCT.md
Add Limitations to Readme and GitHub blurb in Security.md
Jun 24, 2020
CONTRIBUTING.md
Update CONTRIBUTING.md with specific build information.
Jun 24, 2020
LICENSE
GitHub OSSAR Action initial commit.
Jun 24, 2020
README.md
Merge pull request #14 from sampart/use-github-terminology
Oct 6, 2020
SECURITY.md
Add Limitations to Readme and GitHub blurb in Security.md
Jun 24, 2020
action.yml
Shorten action description for publishing validation.
Jun 25, 2020
build.proj
GitHub OSSAR Action initial commit.
Jun 24, 2020
package-lock.json
GitHub OSSAR Action initial commit.
Jun 24, 2020
package.json
GitHub OSSAR Action initial commit.
Jun 24, 2020
tsconfig.json
GitHub OSSAR Action initial commit.
Jun 24, 2020

README.md

github/ossar-action

OSSAR windows-latest
OSSAR ubuntu-latest

Run open source security static analysis tools without the added complexity with OSSAR (Open Source Static Analysis Runner).

Limitations

The OSSAR action is currently in beta and runs on the windows-latest queue, as well as Windows self hosted agents. ubuntu-latest support coming soon.

Overview

This action runs the Microsoft Security Code Analysis CLI for security analysis by:

  • Installing the Microsoft Security Code Analysis CLI
  • Installing the latest policy or referencing the local policy/github.gdnpolicy file
  • Installing the latest open source tools
  • Automatic or user-provided configuration of static analysis tools
  • Execution of a full suite of static analysis tools
  • Normalized processing of results into the SARIF format
  • Exports a single SARIF file which can be uploaded via the github/codeql-action/upload-sarif action

Usage

See action.yml

Basic

Run OSSAR with the default policy and recommended tools.

steps:
- uses: actions/checkout@v2
- name: Run OSSAR
  uses: github/ossar-action@v1
  id: ossar
- name: Upload results to Security tab
  uses: github/codeql-action/upload-sarif@v1
  with:
    sarif_file: ${{ steps.ossar.outputs.sarifFile }}

Note: The Microsoft Security Code Analysis CLI is built with dotnet v3.1.201. A version greater than or equal to v3.1.201 of dotnet must be installed on the runner in order to run this action. GitHub hosted runners already have a compatible version of dotnet installed. To ensure a compatible version of dotnet is installed on a self-hosted runner, please configure the actions/setup-dotnet action.

- uses: actions/setup-dotnet@v1
  with:
    dotnet-version: '3.1.x'

Upload Results to the Security tab

To upload results to the Security tab of your repo, run the github/codeql-action/upload-sarif action immediately after running OSSAR. OSSAR sets the action output variable sarifFile to the path of a single SARIF file that can be uploaded to this API.

- name: Upload results to Security tab
  uses: github/codeql-action/upload-sarif@v1
  with:
    sarif_file: ${{ steps.ossar.outputs.sarifFile }}

Open Source Tools

Name Language
Bandit python
BinSkim binary - Windows, ELF
ESlint JavaScript

More Information

Please see the wiki tab for more information and the Frequently Asked Questions (FAQ) page.

Report Issues

Please file a GitHub issue in this repo. To help us investigate the issue, please include a description of the problem, a link to your workflow run (if public), and/or logs from the OSSAR's action output.

License

The scripts and documentation in this project are released under the MIT License

Contributing

Contributions are welcome! See the Contributor's Guide.

About

Run multiple open source security static analysis tools without the added complexity with OSSAR (Open Source Static Analysis Runner).

Resources

Readme

License

MIT License

Releases

1 tags

Packages

No packages published

Contributors 2

Languages

You can’t perform that action at this time.
Morty Proxy This is a proxified and sanitized view of the page, visit original site.