Run open source security static analysis tools without the added complexity with OSSAR (Open Source Static Analysis Runner).
The OSSAR action is currently in beta and runs on the windows-latest queue, as well as Windows self hosted agents. ubuntu-latest support coming soon.
This action runs the Microsoft Security Code Analysis CLI for security analysis by:
- Installing the Microsoft Security Code Analysis CLI
- Installing the latest policy or referencing the local
policy/github.gdnpolicyfile - Installing the latest open source tools
- Automatic or user-provided configuration of static analysis tools
- Execution of a full suite of static analysis tools
- Normalized processing of results into the SARIF format
- Exports a single SARIF file which can be uploaded via the
github/codeql-action/upload-sarifaction
The following table documents what tools are currently run by this action (if applicable or configured) and the language(s) or artifact(s) they can analyze.
| Name | Analysis Coverage |
|---|---|
| Bandit | python |
| BinSkim | binary - Windows, ELF |
| ESlint | JavaScript |
To request a tool be integrated, please file a new a GitHub issue in this repo.
See action.yml
Run OSSAR with the default policy and recommended tools.
steps:
- uses: actions/checkout@v2
- name: Run OSSAR
uses: github/ossar-action@v1
id: ossar
- name: Upload results to Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.ossar.outputs.sarifFile }}Note: The Microsoft Security Code Analysis CLI is built with dotnet v3.1.201. A version greater than or equal to v3.1.201 of dotnet must be installed on the runner in order to run this action. GitHub hosted runners already have a compatible version of dotnet installed. To ensure a compatible version of dotnet is installed on a self-hosted runner, please configure the actions/setup-dotnet action.
- uses: actions/setup-dotnet@v1
with:
dotnet-version: '3.1.x'
To upload results to the Security tab of your repo, run the github/codeql-action/upload-sarif action immediately after running OSSAR. OSSAR sets the action output variable sarifFile to the path of a single SARIF file that can be uploaded to this API.
- name: Upload results to Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.ossar.outputs.sarifFile }}Please see the wiki tab for more information and the Frequently Asked Questions (FAQ) page.
Please file a GitHub issue in this repo. To help us investigate the issue, please include a description of the problem, a link to your workflow run (if public), and/or logs from the OSSAR's action output.
The scripts and documentation in this project are released under the MIT License
Contributions are welcome! See the Contributor's Guide.
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent