GitHub Action
SecurityCodeScan
This action is designed to run as part of a workflow that builds SecurityCodeScan, SecurityCodeScan.VS2017 or SecurityCodeScan.VS2019 referencing projects.
It produces a GitHub compatible SARIF file for uploading to the repository 'Code scanning alerts'.
See action.yml
sarif_directory: (optional) The output directory where SARIF files should be collected.
The recommended way to add this action to your workflow, is with a subsequent action that uploads the prepared SARIF files to the repository 'Code scanning alerts'. The analyzed projects must be already referencing SecurityCodeScan, SecurityCodeScan.VS2017 or SecurityCodeScan.VS2019 Nuget package.
For example:
on:
push:
jobs:
SCS:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build
run: |
dotnet build /p:ErrorLog=analysis.sarif
- name: Convert sarif for uploading to GitHub
uses: security-code-scan/[email protected]
- name: Upload sarif
uses: github/codeql-action/upload-sarif@v1Another option is to add the nuget package to specific projects from the script:
on:
push:
jobs:
SCS:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build
run: |
dotnet add src/SourcesFolderName/ProjectName.csproj package SecurityCodeScan.VS2019
dotnet add src/SourcesFolderName2/ProjectName2.csproj package SecurityCodeScan.VS2019
dotnet build /p:ErrorLog=analysis.sarif
- name: Convert sarif for uploading to GitHub
uses: security-code-scan/[email protected]
- name: Upload sarif
uses: github/codeql-action/upload-sarif@v1For .NET 4.x example see FullDotNetWebApp demo repository.