The GitHub Action for Microsoft Application Inspector
Перейти к файлу
Greg Mohler fdca296050
Update action.yml to include sarif output option (#13)
Update action.yml to include sarif output
2023-06-21 18:15:18 -07:00
.gitignore Updates initial description of action so users are better informed. 2020-10-04 16:59:22 -06:00
CODE_OF_CONDUCT.md First Commit 2020-07-15 08:51:09 -07:00
Dockerfile Adds support for a using a pre-release version of AppInspector 2022-08-03 01:32:55 -07:00
LICENSE First Commit 2020-07-15 08:51:09 -07:00
README.md Update README.md 2022-08-03 01:46:50 -07:00
SECURITY.md First Commit 2020-07-15 08:51:09 -07:00
action.yml Update action.yml to include sarif output option (#13) 2023-06-21 18:15:18 -07:00
entrypoint.sh Update entrypoint.sh (#11) 2022-08-03 02:13:02 -07:00

README.md

Application Inspector GitHub Action

Microsoft Application Inspector is a software source code characterization tool that helps identify coding features of first or third party software components based on well-known library/API calls and is helpful in security and non-security use cases. It uses hundreds of rules and regex patterns to surface interesting characteristics of source code to aid in determining what the software is or what it does and received industry attention as a new and valuable contribution to OSS on ZDNet, SecurityWeek, CSOOnline, Linux.com/news, HelpNetSecurity, Twitter and more and was first featured on Microsoft.com.

The tool supports scanning various programming languages including C, C++, C#, Java, JavaScript, HTML, Python, Objective-C, Go, Ruby, PowerShell and more and can scan projects with mixed language files.

Be sure to see our project wiki page for more help https://Github.com/Microsoft/ApplicationInspector/wiki for illustrations and additional information and help.

This Action calls the Analyze functionality of Application Inspector.

Usage

Add ApplicationInspector to your GitHub Actions pipeline like below to scan the repository root and output to AppInspectorResults.json in the repository root.

- uses: actions/checkout@v2
- uses: microsoft/ApplicationInspector-Action@v1
- uses: actions/upload-artifact@v2
    with:
        name: AppInspectorResults
        path: AppInspectorResults.json

A common use case is to run Application Inspector in tags only mode

- uses: microsoft/ApplicationInspector-Action@v1
      with:
        arguments: -t

You can also specify a number of options to the action. See the Application Inspector wiki for guidance. Use the documentation for the analyze command.

- uses: microsoft/ApplicationInspector-Action@v1
  with:
    location-to-scan: relative/path/in/repo
    output-path: relative/path/in/repo
    output-format: [json | text]
    file-path-exclusions: comma,separated,glob,patterns
    arguments: -any -arguments -to -analyze
    pre-release: [ true | false ]

Main Project

The engine powering this GitHub Action is also available here as a Cli.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.