GithubHelp home page GithubHelp logo

pysa-action's Introduction

test_with_pyre_config test_no_pyre_config License: MIT

Pysa Github Action

Python Static Analyzer (Pysa) is a security-focused static analysis tool that tracks flows of data from where they originate to where they terminate in a dangerous location. Pysa has been used to detect and disclose security issues on open source Python projects in the past, such as CVE-2019-19775.

The Pysa GitHub Action enables you to run Pysa in CI and view the results on GitHub Security code scanning UI.


      - main

name: Pysa

    runs-on: ubuntu-latest
      - uses: actions/[email protected]

      - name: Run Pysa Action
        uses: facebook/pysa-action
          repo-directory: './'
          requirements-path: 'requirements.txt'
          infer-types: true
          include-default-sapp-filters: true
          sapp-filters-directory: path/to/custom-filters

See the test workflows in this repository for more examples


Pysa Action relies on SAPP Action to post process and filter Pysa results



Required, Path to the python source code you want to analyze. If you want to analyze the root of your repo, use './'. The default will be to analyze the root of your repository.

Since Pysa relies on Pyre, Pysa Action will also look for a .pyre_configuration in the root of your repo-directory. If Pysa Action can't find a .pyre_configuration file in the root of your repo-directory, it will create the default Pyre configuration to use. If you notice any missing flows involving your project dependencies, it can be likely fixed by committing the default .pyre_configuration to your repo and updating the taint_models_path to point to where your dependencies are installed


Required, Path to file containing your python code's dependencies relative to repo-directory. The default will look for requirements.txt in the root of the directory you specified in repo-directory.

Pysa Action will install all your project dependencies before the taint analysis stage and may miss flows for any dependencies not present in sys.path, so it is important to specify all your project dependencies in your requirements.txt


When set to true, the action will use the nightly version of Pysa to analyze your python code. The nightly version of Pysa tends to be unstable is not recommended you set this option to true unless you are adventurous. By default, the action will use the latest stable version of Pysa.


The version number of Pysa you would like to use to analyze your python code. By default, the action will use the latest version of Pysa.


If this value is true, the action will run pyre infer in-place to add type annotations to your python code. Unless your python code is sufficiently type annotated, it is highly recommended you set infer-types to true, since it'll greatly improve the quality and quantity of data flows Pysa is able to found.

Note that while viewing Pysa results, you may see that your source code has changed. Those changes are limited to your workflow run of Pysa and will not be committed to your repo. As a precaution to prevent confusion, the default for infer-types is false, however as mentioned earlier, it's strongly recommended you set infer-types to true.


The version number of SAPP you would like to use to post process Pysa results. By default, the action will use the latest version of SAPP.


Path relative to repo-directory where the SAPP filters you wrote that you want applied to filter the results of your Pysa runs are.

A description and guide to writing your own filters is available on the SAPP Github Repo. The description of what features are is available on the Pysa documentation.

See the test/custom-filters in this repo for a example


When set to true, SAPP will filter your Pysa runs with the default filters shipped with Pysa. The SAPP filters shipped with Pysa are intended to filter out false positives even at the cost of false negatives to ensure Pysa results are as high signal as possible.

By default, Pysa Action will use the default SAPP filters to filter its results. There are a few use cases where you might want to set include-default-sapp-filters to false. For example:

  • You prefer to apply no filters to your Pysa results, because you would like to see all Pysa results
  • You prefer to filter Pysa results only using the SAPP filters you've written in sapp-filters-directory


Pysa Action is licensed under the MIT license.

pysa-action's People


0xedward avatar


 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar


 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

pysa-action's Issues

Add support for poetry

It would be awesome if you would add support for poetry in this github action. Currently it requires a requirements.txt which is not used in most modern projects.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.