ebpf-for-windows/.github/workflows/ossar-scan.yml

# Copyright (c) Microsoft Corporation
# SPDX-License-Identifier: MIT

# This workflow executes the OSSAR action.

name: ossar-scan

on:
  workflow_call:
    inputs:
      # The name of the build artifact to download.
      build_artifact:
        required: true
        type: string

permissions:
  checks: read  # Required by fountainhead/action-wait-for-check to wait for another GitHub check to complete.
  contents: read  # Required by actions/checkout to fetch code.
  security-events: write # Required by codeql task

jobs:
  scan:
    timeout-minutes: 30

    strategy:
      matrix:
        # For now only run on release as debug builds of the MSVC are built without /Qspectre.
        configurations: [Release]

    # github/ossar-action doesn't run on windows-2019, requires windows-latest.
    runs-on: windows-latest
    env:
      # Configuration type to build.
      BUILD_CONFIGURATION: ${{matrix.configurations}}
      BUILD_PLATFORM: x64

    steps:
    # Checking out the branch is needed to correctly log security alerts.
    - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
      with:
        # Only check out main repo, not submodules.
        ref: ${{ github.event.workflow_run.head_branch }}

    - name: Download build artifact
      if: success()
      uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7
      id: download_artifact
      with:
        name: ${{inputs.build_artifact}} ${{matrix.configurations}}
        path: ${{github.workspace}}/${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION}}

    - name: Exclude external files
      run: |
        pushd ${{github.workspace}}/${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION}}
        Remove-Item @("clang_rt.*", "concrt*", "msvc*", "ucrt*", "vc*") -ErrorAction SilentlyContinue

    - name: Run OSSAR (Open Source Static Analysis Runner)
      uses: github/ossar-action@c757d32d66bea728bc64e67e7d6de9696f7f37d3
      id: ossar

    - name: Upload results to Security tab
      uses: github/codeql-action/upload-sarif@a669cc5936cc5e1b6a362ec1ff9e410dc570d190
      with:
        sarif_file: ${{ steps.ossar.outputs.sarifFile }}
Integrate OSSAR (Open Source Static Analysis Runner) (#1023) * Integrate OSSAR (Open Source Static Analysis Runner) Signed-off-by: Alan Jowett <alan.jowett@microsoft.com> * PR feedback Signed-off-by: Alan Jowett <alan.jowett@microsoft.com> * PR feedback Signed-off-by: Alan Jowett <alan.jowett@microsoft.com> Co-authored-by: Alan Jowett <alan.jowett@microsoft.com> 2022-04-29 21:55:55 +03:00			`# Copyright (c) Microsoft Corporation`
			`# SPDX-License-Identifier: MIT`

			`# This workflow executes the OSSAR action.`

			`name: ossar-scan`

			`on:`
			`workflow_call:`
			`inputs:`
			`# The name of the build artifact to download.`
			`build_artifact:`
			`required: true`
			`type: string`

			`permissions:`
			`checks: read # Required by fountainhead/action-wait-for-check to wait for another GitHub check to complete.`
			`contents: read # Required by actions/checkout to fetch code.`
			`security-events: write # Required by codeql task`

			`jobs:`
			`scan:`
			`timeout-minutes: 30`

			`strategy:`
			`matrix:`
			`# For now only run on release as debug builds of the MSVC are built without /Qspectre.`
			`configurations: [Release]`

			`# github/ossar-action doesn't run on windows-2019, requires windows-latest.`
			`runs-on: windows-latest`
			`env:`
			`# Configuration type to build.`
			`BUILD_CONFIGURATION: ${{matrix.configurations}}`
			`BUILD_PLATFORM: x64`

			`steps:`
Skip checkout of repo for ossar scan (#1081) * Skip checkout of repo for ossar scan Signed-off-by: Alan Jowett <alan.jowett@microsoft.com> * Fix broken yaml Signed-off-by: Alan Jowett <alan.jowett@microsoft.com> * Fix ossar dependency on git Signed-off-by: Alan Jowett <alan.jowett@microsoft.com> Co-authored-by: Alan Jowett <alan.jowett@microsoft.com> 2022-05-11 20:33:36 +03:00			`# Checking out the branch is needed to correctly log security alerts.`
Bump actions/checkout from 3.1.0 to 3.2.0 (#1762) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.1.0 to 3.2.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8...755da8c3cf115ac066823e79a1e1788f8940201b) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2022-12-17 21:27:26 +03:00			`- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b`
Integrate OSSAR (Open Source Static Analysis Runner) (#1023) * Integrate OSSAR (Open Source Static Analysis Runner) Signed-off-by: Alan Jowett <alan.jowett@microsoft.com> * PR feedback Signed-off-by: Alan Jowett <alan.jowett@microsoft.com> * PR feedback Signed-off-by: Alan Jowett <alan.jowett@microsoft.com> Co-authored-by: Alan Jowett <alan.jowett@microsoft.com> 2022-04-29 21:55:55 +03:00			`with:`
Skip checkout of repo for ossar scan (#1081) * Skip checkout of repo for ossar scan Signed-off-by: Alan Jowett <alan.jowett@microsoft.com> * Fix broken yaml Signed-off-by: Alan Jowett <alan.jowett@microsoft.com> * Fix ossar dependency on git Signed-off-by: Alan Jowett <alan.jowett@microsoft.com> Co-authored-by: Alan Jowett <alan.jowett@microsoft.com> 2022-05-11 20:33:36 +03:00			`# Only check out main repo, not submodules.`
Integrate OSSAR (Open Source Static Analysis Runner) (#1023) * Integrate OSSAR (Open Source Static Analysis Runner) Signed-off-by: Alan Jowett <alan.jowett@microsoft.com> * PR feedback Signed-off-by: Alan Jowett <alan.jowett@microsoft.com> * PR feedback Signed-off-by: Alan Jowett <alan.jowett@microsoft.com> Co-authored-by: Alan Jowett <alan.jowett@microsoft.com> 2022-04-29 21:55:55 +03:00			`ref: ${{ github.event.workflow_run.head_branch }}`

			`- name: Download build artifact`
			`if: success()`
Bump actions/download-artifact from 3.0.0 to 3.0.1 (#1498) Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 3.0.0 to 3.0.1. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/fb598a63ae348fa914e94cd0ff38f362e927b741...9782bd6a9848b53b110e712e20e42d89988822b7) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2022-10-25 02:14:17 +03:00			`uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7`
Integrate OSSAR (Open Source Static Analysis Runner) (#1023) * Integrate OSSAR (Open Source Static Analysis Runner) Signed-off-by: Alan Jowett <alan.jowett@microsoft.com> * PR feedback Signed-off-by: Alan Jowett <alan.jowett@microsoft.com> * PR feedback Signed-off-by: Alan Jowett <alan.jowett@microsoft.com> Co-authored-by: Alan Jowett <alan.jowett@microsoft.com> 2022-04-29 21:55:55 +03:00			`id: download_artifact`
			`with:`
			`name: ${{inputs.build_artifact}} ${{matrix.configurations}}`
			`path: ${{github.workspace}}/${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION}}`

			`- name: Exclude external files`
			`run: \|`
			`pushd ${{github.workspace}}/${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION}}`
			`Remove-Item @("clang_rt.", "concrt", "msvc", "ucrt", "vc*") -ErrorAction SilentlyContinue`

			`- name: Run OSSAR (Open Source Static Analysis Runner)`
			`uses: github/ossar-action@c757d32d66bea728bc64e67e7d6de9696f7f37d3`
			`id: ossar`

			`- name: Upload results to Security tab`
Bump github/codeql-action from 2.1.35 to 2.1.36 (#1729) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.35 to 2.1.36. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/b2a92eb56d8cb930006a1c6ed86b0782dd8a4297...a669cc5936cc5e1b6a362ec1ff9e410dc570d190) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2022-12-12 07:43:16 +03:00			`uses: github/codeql-action/upload-sarif@a669cc5936cc5e1b6a362ec1ff9e410dc570d190`
Integrate OSSAR (Open Source Static Analysis Runner) (#1023) * Integrate OSSAR (Open Source Static Analysis Runner) Signed-off-by: Alan Jowett <alan.jowett@microsoft.com> * PR feedback Signed-off-by: Alan Jowett <alan.jowett@microsoft.com> * PR feedback Signed-off-by: Alan Jowett <alan.jowett@microsoft.com> Co-authored-by: Alan Jowett <alan.jowett@microsoft.com> 2022-04-29 21:55:55 +03:00			`with:`
			`sarif_file: ${{ steps.ossar.outputs.sarifFile }}`