2022-04-29 21:55:55 +03:00
|
|
|
# Copyright (c) Microsoft Corporation
|
|
|
|
|
# SPDX-License-Identifier: MIT
|
|
|
|
|
|
|
|
|
|
# This workflow executes the OSSAR action.
|
|
|
|
|
|
|
|
|
|
name: ossar-scan
|
|
|
|
|
|
|
|
|
|
on:
|
|
|
|
|
workflow_call:
|
|
|
|
|
inputs:
|
|
|
|
|
# The name of the build artifact to download.
|
|
|
|
|
build_artifact:
|
|
|
|
|
required: true
|
|
|
|
|
type: string
|
|
|
|
|
|
|
|
|
|
permissions:
|
|
|
|
|
checks: read # Required by fountainhead/action-wait-for-check to wait for another GitHub check to complete.
|
|
|
|
|
contents: read # Required by actions/checkout to fetch code.
|
|
|
|
|
security-events: write # Required by codeql task
|
|
|
|
|
|
|
|
|
|
jobs:
|
|
|
|
|
scan:
|
|
|
|
|
timeout-minutes: 30
|
|
|
|
|
|
|
|
|
|
strategy:
|
|
|
|
|
matrix:
|
|
|
|
|
# For now only run on release as debug builds of the MSVC are built without /Qspectre.
|
|
|
|
|
configurations: [Release]
|
|
|
|
|
|
|
|
|
|
# github/ossar-action doesn't run on windows-2019, requires windows-latest.
|
|
|
|
|
runs-on: windows-latest
|
|
|
|
|
env:
|
|
|
|
|
# Configuration type to build.
|
|
|
|
|
BUILD_CONFIGURATION: ${{matrix.configurations}}
|
|
|
|
|
BUILD_PLATFORM: x64
|
|
|
|
|
|
|
|
|
|
steps:
|
2023-01-27 19:46:44 +03:00
|
|
|
- id: skip_check
|
|
|
|
|
uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281 # v5.3.0
|
|
|
|
|
with:
|
|
|
|
|
cancel_others: 'false'
|
|
|
|
|
paths_ignore: '["**.md", "**/docs/**"]'
|
|
|
|
|
|
2022-05-11 20:33:36 +03:00
|
|
|
# Checking out the branch is needed to correctly log security alerts.
|
2023-01-10 00:24:41 +03:00
|
|
|
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
|
2023-01-27 19:46:44 +03:00
|
|
|
if: steps.skip_check.outputs.should_skip != 'true'
|
2022-04-29 21:55:55 +03:00
|
|
|
with:
|
2022-05-11 20:33:36 +03:00
|
|
|
# Only check out main repo, not submodules.
|
2022-04-29 21:55:55 +03:00
|
|
|
ref: ${{ github.event.workflow_run.head_branch }}
|
|
|
|
|
|
|
|
|
|
- name: Download build artifact
|
2023-01-27 19:46:44 +03:00
|
|
|
if: (steps.skip_check.outputs.should_skip != 'true') && success()
|
2023-01-10 06:26:52 +03:00
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
|
2022-04-29 21:55:55 +03:00
|
|
|
id: download_artifact
|
|
|
|
|
with:
|
|
|
|
|
name: ${{inputs.build_artifact}} ${{matrix.configurations}}
|
|
|
|
|
path: ${{github.workspace}}/${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION}}
|
|
|
|
|
|
|
|
|
|
- name: Exclude external files
|
2023-01-27 19:46:44 +03:00
|
|
|
if: steps.skip_check.outputs.should_skip != 'true'
|
2022-04-29 21:55:55 +03:00
|
|
|
run: |
|
|
|
|
|
pushd ${{github.workspace}}/${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION}}
|
|
|
|
|
Remove-Item @("clang_rt.*", "concrt*", "msvc*", "ucrt*", "vc*") -ErrorAction SilentlyContinue
|
|
|
|
|
|
|
|
|
|
- name: Run OSSAR (Open Source Static Analysis Runner)
|
2023-01-27 19:46:44 +03:00
|
|
|
if: steps.skip_check.outputs.should_skip != 'true'
|
2022-04-29 21:55:55 +03:00
|
|
|
uses: github/ossar-action@c757d32d66bea728bc64e67e7d6de9696f7f37d3
|
|
|
|
|
id: ossar
|
|
|
|
|
|
|
|
|
|
- name: Upload results to Security tab
|
2023-01-27 19:46:44 +03:00
|
|
|
if: steps.skip_check.outputs.should_skip != 'true'
|
2023-01-22 09:35:33 +03:00
|
|
|
uses: github/codeql-action/upload-sarif@a34ca99b4610d924e04c68db79e503e1f79f9f02
|
2022-04-29 21:55:55 +03:00
|
|
|
with:
|
|
|
|
|
sarif_file: ${{ steps.ossar.outputs.sarifFile }}
|
