Python Static Analyzer (Pysa) is a security-focused static analysis tool that tracks flows of data from where they originate to where they terminate in a dangerous location. Pysa has been used to detect and disclose security issues on open source Python projects in the past, such as CVE-2019-19775.

The Pysa GitHub Action enables you to run Pysa in CI and view the results on GitHub Security code scanning UI.

on:
  push:
    branches:
      - main
  pull_request:

name: Pysa

jobs:
  pysa:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2

      - name: Run Pysa Action
        uses: facebook/pysa-action
        with:
          repo-directory: './'
          requirements-path: 'requirements.txt'
          infer-types: true
          include-default-sapp-filters: true
          sapp-filters-directory: path/to/custom-filters

See the test workflows in this repository for more examples

Pysa Action relies on SAPP Action to post process and filter Pysa results

Required, Path to the python source code you want to analyze. If you want to analyze the root of your repo, use './'. The default will be to analyze the root of your repository.

Since Pysa relies on Pyre, Pysa Action will also look for a .pyre_configuration in the root of your repo-directory. If Pysa Action can't find a .pyre_configuration file in the root of your repo-directory, it will create the default Pyre configuration to use. If you notice any missing flows involving your project dependencies, it can be likely fixed by committing the default .pyre_configuration to your repo and updating the taint_models_path to point to where your dependencies are installed

Required, Path to file containing your python code's dependencies relative to repo-directory. The default will look for requirements.txt in the root of the directory you specified in repo-directory.

Pysa Action will install all your project dependencies before the taint analysis stage and may miss flows for any dependencies not present in sys.path, so it is important to specify all your project dependencies in your requirements.txt

When set to true, the action will use the nightly version of Pysa to analyze your python code. The nightly version of Pysa tends to be unstable is not recommended you set this option to true unless you are adventurous. By default, the action will use the latest stable version of Pysa.

The version number of Pysa you would like to use to analyze your python code. By default, the action will use the latest version of Pysa.

If this value is true, the action will run pyre infer in-place to add type annotations to your python code. Unless your python code is sufficiently type annotated, it is highly recommended you set infer-types to true, since it'll greatly improve the quality and quantity of data flows Pysa is able to found.

Note that while viewing Pysa results, you may see that your source code has changed. Those changes are limited to your workflow run of Pysa and will not be committed to your repo. As a precaution to prevent confusion, the default for infer-types is false, however as mentioned earlier, it's strongly recommended you set infer-types to true.

The version number of SAPP you would like to use to post process Pysa results. By default, the action will use the latest version of SAPP.

Path relative to repo-directory where the SAPP filters you wrote that you want applied to filter the results of your Pysa runs are.

A description and guide to writing your own filters is available on the SAPP Github Repo. The description of what features are is available on the Pysa documentation.

See the test/custom-filters in this repo for a example

When set to true, SAPP will filter your Pysa runs with the default filters shipped with Pysa. The SAPP filters shipped with Pysa are intended to filter out false positives even at the cost of false negatives to ensure Pysa results are as high signal as possible.

By default, Pysa Action will use the default SAPP filters to filter its results. There are a few use cases where you might want to set include-default-sapp-filters to false. For example:

• You prefer to apply no filters to your Pysa results, because you would like to see all Pysa results
• You prefer to filter Pysa results only using the SAPP filters you've written in sapp-filters-directory

When set to true, Pysa Action will install poetry with the Python Package installer and use it to install dependencies.

By default, it is set to false and the requirements file is used as a source of requirements to be installed by the Python Package Installer (pip).

Pysa Action is licensed under the MIT license.