# Copyright (c) Microsoft Corporation # SPDX-License-Identifier: MIT # This workflow executes the OSSAR action. name: ossar-scan on: workflow_call: inputs: # The name of the build artifact to download. build_artifact: required: true type: string permissions: checks: read # Required by fountainhead/action-wait-for-check to wait for another GitHub check to complete. contents: read # Required by actions/checkout to fetch code. security-events: write # Required by codeql task jobs: scan: timeout-minutes: 30 strategy: matrix: # For now only run on release as debug builds of the MSVC are built without /Qspectre. configurations: [Release] # github/ossar-action doesn't run on windows-2019, requires windows-latest. runs-on: windows-latest env: # Configuration type to build. BUILD_CONFIGURATION: ${{matrix.configurations}} BUILD_PLATFORM: x64 steps: # Checking out the branch is needed to correctly log security alerts. - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b with: # Only check out main repo, not submodules. ref: ${{ github.event.workflow_run.head_branch }} - name: Download build artifact if: success() uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 id: download_artifact with: name: ${{inputs.build_artifact}} ${{matrix.configurations}} path: ${{github.workspace}}/${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION}} - name: Exclude external files run: | pushd ${{github.workspace}}/${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION}} Remove-Item @("clang_rt.*", "concrt*", "msvc*", "ucrt*", "vc*") -ErrorAction SilentlyContinue - name: Run OSSAR (Open Source Static Analysis Runner) uses: github/ossar-action@c757d32d66bea728bc64e67e7d6de9696f7f37d3 id: ossar - name: Upload results to Security tab uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 with: sarif_file: ${{ steps.ossar.outputs.sarifFile }}