diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..0b1dc77d2 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,66 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ v2.x/staging ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ v2.x/staging ] + schedule: + - cron: '30 20 * * 2' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'c' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + # Learn more about CodeQL language support at https://git.io/codeql-language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main + + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + #- run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 \ No newline at end of file diff --git a/.github/workflows/cppcheck.yml b/.github/workflows/cppcheck.yml new file mode 100644 index 000000000..958e21db9 --- /dev/null +++ b/.github/workflows/cppcheck.yml @@ -0,0 +1,22 @@ +name: cppcheck-action-test +on: [push] + +jobs: + build: + name: cppcheck-test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: cppcheck + uses: deep5050/cppcheck-action@main + with: + github_token: ${{ secrets.GITHUB_TOKEN}} + force: enable + + - name: upload artifact + uses: actions/upload-artifact@v3 + with: + name: cppcheck_report.txt + path: /home/runner/work/zowe-common-c/zowe-common-c/cppcheck_report.txt + diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml new file mode 100644 index 000000000..779bdd85a --- /dev/null +++ b/.github/workflows/flawfinder.yml @@ -0,0 +1,42 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: flawfinder + +on: + push: + branches: [ v2.x/staging ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ v2.x/staging ] + +jobs: + flawfinder: + name: Flawfinder + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: flawfinder_scan + uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c + with: + arguments: '--sarif ./' + output: 'flawfinder_results.sarif' + + #- name: Upload analysis results to GitHub Security tab + # uses: github/codeql-action/upload-sarif@v1 + # with: + # sarif_file: ${{github.workspace}}/flawfinder_results.sarif + + - name: Upload SARIF as an Artifact + uses: actions/upload-artifact@v3 + with: + name: flawfinder_results.sarif + path: ${{ github.workspace }} \ No newline at end of file diff --git a/.github/workflows/msvc.yml b/.github/workflows/msvc.yml new file mode 100644 index 000000000..22e057735 --- /dev/null +++ b/.github/workflows/msvc.yml @@ -0,0 +1,64 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Find more information at: +# https://github.com/microsoft/msvc-code-analysis-action + +name: Microsoft C++ Code Analysis + +on: + push: + branches: [ v2.x/staging ] + pull_request: + branches: [ v2.x/staging ] + + +env: + # Path to the CMake build directory. + build: '${{ github.workspace }}/build' + +permissions: + contents: read + +jobs: + analyze: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + name: Analyze + runs-on: windows-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + # - name: Configure CMake + # run: cmake -B ${{ env.build }} + + # Build is not required unless generated source files are used + # - name: Build CMake + # run: cmake --build ${{ env.build }} + + - name: Initialize MSVC Code Analysis + uses: microsoft/msvc-code-analysis-action@04825f6d9e00f87422d6bf04e1a38b1f3ed60d99 + # Provide a unique ID to access the sarif output path + id: run-analysis + with: + cmakeBuildDirectory: ${{ env.build }} + # Ruleset file that will determine what checks will be run + ruleset: NativeRecommendedRules.ruleset + + # Upload SARIF file to GitHub Code Scanning Alerts + #- name: Upload SARIF to GitHub + # uses: github/codeql-action/upload-sarif@v1 + # with: + # sarif_file: ${{ steps.run-analysis.outputs.sarif }} + + # Upload SARIF file as an Artifact to download and view + - name: Upload SARIF as an Artifact + uses: actions/upload-artifact@v3 + with: + name: sarif-file + path: ${{ steps.run-analysis.outputs.sarif }}