Add GitHub Actions integration #49
Comments
|
@michaelcfanning @jhutchings1 @eddynaka @yongyan-gh - now that SARIF output is in Flawfinder, I think that adding a GitHub Actions integration should be easy. Anyone interested in doing that, since for many use cases that's the final step? |
|
Hi @david-a-wheeler , should we create a new repo only for the action or would u like to keep it in this repo? |
|
@eddynaka - I have a mild preference to keeping in this repo. That way they can be kept in sync if necessary. However, if that's inconvenient, a new repo is fine. The goal is to make it easy to use :-). |
|
Here's maybe a better resource with a lot of details on how to write the action and workflow file so that we can surface it on Github.com in the UI. The action can live in this repo but marketplace has a 1:1 mapping of repos to actions so if you anticipate the need for multiple actions to be published to marketplace they may need their own repos. I think for a scanner you'll probably only have 1 action so colocated would be great! |
|
I expect the only action to be "scan this repo". It should be possible to configure the scan, but that should be doable with environment variables and such. We don't support a configuration file, but we could add that if it's important. |
|
So, is someone volunteering to write the action & workflow file? |
|
@yongyan-gh , can you take a look? we have something similar: https://github.com/microsoft/sarif-actions |
|
hi @david-a-wheeler, in order to create boilerplate workflow and publish to github, we need to refill below information, can you pls review? And also a svg icon file is required to show the flawfinder workflow in security tab. Can you please share the icon file? |
|
@yongyan-gh - the JSON looks fine. I don't think I have an svg file, but I could make one. I just found this thing. Thoughts?: https://github.com/marketplace/actions/flawfinder-action |
|
Hi @david-a-wheeler , I saw that but that kind of action:
With the change we are adding, we would create an official action that does not require the PAT and we would also make the changes in https://github.com/actions/starter-workflows so it would show flawfinder in the security tab as well. Let us know if we should pursue and merge the action that we just created. |
|
Not requiring a GitHub PAT is a great reason to merge this work, and I"m delighted to create an official action. |
|
Hi @david-a-wheeler , @yongyan-gh will create another PR fixing one issue with the SARIF and, once merged, we will finish the action. |
|
@david-a-wheeler this is the PR fixing SARIF issue #52, please review. |
hi @david-a-wheeler please share the Flawfinder icon file in svg format once you create one. |
|
I've made creating an icon a separate issue, here: #53 If someone has talent to do that, I'd love to know. Otherwise I'll create a "stub" & we can replace it later once someone with artistic talent does one. |
|
Sounds like fun to create an icon for you. I can propose something. Tell me a little about the 'brand' or feeling you want to create in the community for your tool. :) It's C++, obviously, we find quality issues, there's a security focus. What else? :) Do you want a serious feel? Something more playful? etc. |
|
@michaelcfanning - Good questions. Please continue in issue #53 so the icon discussions will be in one place. |
|
Is this also being published to the GitHub Marketplace? |
|
Hi @josepalafox , we are working on it :) |
|
The starter workflow looked reasonable to me. |
|
@david-a-wheeler , can u verify ur publish? |
|
@eddynaka - what do I need to do? Yes, I'd like it published. I'm distracted right now, but if people can give me clear pointers I'm be happy to finish the task. |
|
@david-a-wheeler , my comment from the other thread:
|
|
@david-a-wheeler can you pls publish the action again following the steps in the link Eddy sent? |
|
Will do. I was on vacation, and then catching up from vacation. |
|
I made some further changes. I don't think it's quite working, though hopefully it's closer. Suggestions? |
|
Also: It appears that "Flawfinder" is taken, so I renamed the action "flawfinder_scan". |
|
@david-a-wheeler thank you now I can see the action was published! |
|
@yongyan-gh - Good, but it didn't seem to work when I tested it. Maybe my test was wrong? I think the README isn't quite right (e.g., |
|
@david-a-wheeler I created PR #55 to update readme.md |
|
@david-a-wheeler , just to let you know, yesterday the pr to the starter-workflow got merged. Below the image and description: |
|
Well, it works, insofar as it can be turned on, and then uploads its results to the "Security" tab; the results don't look very good, though: |
It'd be great to have a GitHub Actions integration. Now that flawfinder has SARIF output, that should in theory be easy.
More info here about creating such integrations:
https://docs.github.com/en/code-security/secure-coding/integrating-with-code-scanning
The text was updated successfully, but these errors were encountered: