65 строки
2.1 KiB
YAML
65 строки
2.1 KiB
YAML
# Copyright (c) Microsoft Corporation
|
|
# SPDX-License-Identifier: MIT
|
|
|
|
# This workflow executes the OSSAR action.
|
|
|
|
name: ossar-scan
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
# The name of the build artifact to download.
|
|
build_artifact:
|
|
required: true
|
|
type: string
|
|
|
|
permissions:
|
|
checks: read # Required by fountainhead/action-wait-for-check to wait for another GitHub check to complete.
|
|
contents: read # Required by actions/checkout to fetch code.
|
|
security-events: write # Required by codeql task
|
|
|
|
jobs:
|
|
scan:
|
|
timeout-minutes: 30
|
|
|
|
strategy:
|
|
matrix:
|
|
# For now only run on release as debug builds of the MSVC are built without /Qspectre.
|
|
configurations: [Release]
|
|
|
|
# github/ossar-action doesn't run on windows-2019, requires windows-latest.
|
|
runs-on: windows-latest
|
|
env:
|
|
# Configuration type to build.
|
|
BUILD_CONFIGURATION: ${{matrix.configurations}}
|
|
BUILD_PLATFORM: x64
|
|
|
|
steps:
|
|
# Checking out the branch is needed to correctly log security alerts.
|
|
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
|
|
with:
|
|
# Only check out main repo, not submodules.
|
|
ref: ${{ github.event.workflow_run.head_branch }}
|
|
|
|
- name: Download build artifact
|
|
if: success()
|
|
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7
|
|
id: download_artifact
|
|
with:
|
|
name: ${{inputs.build_artifact}} ${{matrix.configurations}}
|
|
path: ${{github.workspace}}/${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION}}
|
|
|
|
- name: Exclude external files
|
|
run: |
|
|
pushd ${{github.workspace}}/${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION}}
|
|
Remove-Item @("clang_rt.*", "concrt*", "msvc*", "ucrt*", "vc*") -ErrorAction SilentlyContinue
|
|
|
|
- name: Run OSSAR (Open Source Static Analysis Runner)
|
|
uses: github/ossar-action@c757d32d66bea728bc64e67e7d6de9696f7f37d3
|
|
id: ossar
|
|
|
|
- name: Upload results to Security tab
|
|
uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394
|
|
with:
|
|
sarif_file: ${{ steps.ossar.outputs.sarifFile }}
|