GitHub Actions based repository scanning workflows with a primary goal of evaluating C & C++ repositories for risks.
Current scans being performed:
- clang's scan-build: Detect common C & C++ bugs using static source analysis. More details on how to integrate this scan into your CI using GitHub Actions.
- clang-tidy cognitive complexity: Calculate readability score for every function. More details on how to integrate this scan into your CI using GitHub Actions.
- OSSF Scorecard: Measure software development practices.
- CLoC: Calculate lines of code & comments.
- BinAbsInspector: Detect common C & C++ bugs using static binary analysis with Ghidra & Z3.
- Infer: Infer checks for null pointer dereferences, memory leaks, coding conventions and unavailable API’s in C & C++ code.
Scans run monthly and results are automatically published at https://intel.github.io/srs
The repository can be forked and the existing scans replaced or new ones added. All you need to add is a GitHub PAT to secrets with the name GHPAT
.
- Create a workflow YAML file under
.github/workflows/my-new-scan.yml
with the following required inputs:
on:
workflow_call:
inputs:
repo:
description: 'repo'
required: true
default: ''
type: string
rate-limit:
description: 'rate limit GitHub API requests'
required: false
default: 150
type: number
For steps you can define whatever is needed to perform the scan as you would with a workflow. Use Upload-Artifact Action to store the results of the scan with a key that uniquely identifies the repo and the scan, for example some-repo.my-new-scan.results.zip
). It is advisable to check the GitHub API rate limit and sleep if there are fewer then 150 calls remaining for your token.
- Add call to the new workflow in
.github/workflows/srs.yml
:
on:
workflow_dispatch:
inputs:
...
my-new-scan:
description: 'Run my-new-scan workflow'
required: false
type: number
default: 0
...
jobs:
...
my-new-scan:
if: inputs.my-new-scan == 1
needs: matrix
secrets: inherit
strategy:
matrix: ${{fromJson(needs.matrix.outputs.matrix)}}
fail-fast: false # don't stop other jobs if one fails
uses: ./.github/workflows/my-new-scan.yml
with:
repo: ${{ matrix.repo }}
- Add the new scan to the
next
job'sneeds
list:
next:
needs: [..., my-new-scan]
- Add my-new-scan to the enabled workflows in
query.yml
:
...
workflows:
description: 'List of workflows to enable (CSV)'
required: false
type: string
default: '...,my-new-scan'
...
- Add the scan's result file (for example
my-new-scan.results.zip
) to theaggregate
function inquery/summary.sh
.
for f in $(find $ARTIFACT_DIR -type f -name '*.my-new-scan.results.zip'); do
cp $f $ARTIFACT_DIR/aggregate-results/ || :
done
Results will saved and published on GitHub Pages as part of the next scan.