Pysa Github Action
Python Static Analyzer (Pysa) is a security-focused static analysis tool that tracks flows of data from where they originate to where they terminate in a dangerous location. Pysa has been used to detect and disclose security issues on open source Python projects in the past, such as CVE-2019-19775.
The Pysa GitHub Action enables you to run Pysa in CI and view the results on GitHub Security code scanning UI.
on: push: branches: - main pull_request: name: Pysa jobs: pysa: runs-on: ubuntu-latest steps: - uses: actions/[email protected] - name: Run Pysa Action uses: facebook/pysa-action with: repo-directory: './' requirements-path: 'requirements.txt' infer-types: true include-default-sapp-filters: true sapp-filters-directory: path/to/custom-filters
See the test workflows in this repository for more examples
Pysa Action relies on SAPP Action to post process and filter Pysa results
Required, Path to the python source code you want to analyze. If you want to analyze the root of your repo, use
'./'. The default will be to analyze the root of your repository.
Since Pysa relies on Pyre, Pysa Action will also look for a
.pyre_configuration in the root of your
repo-directory. If Pysa Action can't find a
.pyre_configuration file in the root of your
repo-directory, it will create the default Pyre configuration to use. If you notice any missing flows involving your project dependencies, it can be likely fixed by committing the default
.pyre_configuration to your repo and updating the
taint_models_path to point to where your dependencies are installed
Required, Path to file containing your python code's dependencies relative to
repo-directory. The default will look for
requirements.txt in the root of the directory you specified in
Pysa Action will install all your project dependencies before the taint analysis stage and may miss flows for any dependencies not present in
sys.path, so it is important to specify all your project dependencies in your
When set to
true, the action will use the nightly version of Pysa to analyze your python code. The nightly version of Pysa tends to be unstable is not recommended you set this option to true unless you are adventurous. By default, the action will use the latest stable version of Pysa.
The version number of Pysa you would like to use to analyze your python code. By default, the action will use the latest version of Pysa.
If this value is
true, the action will run
pyre infer in-place to add type annotations to your python code. Unless your python code is sufficiently type annotated, it is highly recommended you set
true, since it'll greatly improve the quality and quantity of data flows Pysa is able to found.
Note that while viewing Pysa results, you may see that your source code has changed. Those changes are limited to your workflow run of Pysa and will not be committed to your repo. As a precaution to prevent confusion, the default for
infer-types is false, however as mentioned earlier, it's strongly recommended you set
The version number of SAPP you would like to use to post process Pysa results. By default, the action will use the latest version of SAPP.
Path relative to
repo-directory where the SAPP filters you wrote that you want applied to filter the results of your Pysa runs are.
A description and guide to writing your own filters is available on the SAPP Github Repo. The description of what features are is available on the Pysa documentation.
test/custom-filters in this repo for a example
When set to
true, SAPP will filter your Pysa runs with the default filters shipped with Pysa. The SAPP filters shipped with Pysa are intended to filter out false positives even at the cost of false negatives to ensure Pysa results are as high signal as possible.
By default, Pysa Action will use the default SAPP filters to filter its results. There are a few use cases where you might want to set
false. For example:
- You prefer to apply no filters to your Pysa results, because you would like to see all Pysa results
- You prefer to filter Pysa results only using the SAPP filters you've written in
Pysa Action is licensed under the MIT license.