GitHub Actions based repository scanning workflows with a primary goal of evaluating C & C++ repositories for risks.
Current scans being performed:
- clang's scan-build: Detect common C & C++ bugs using static source analysis. More details on how to integrate this scan into your CI using GitHub Actions.
- clang-tidy cognitive complexity: Calculate readability score for every function. More details on how to integrate this scan into your CI using GitHub Actions.
- OSSF Scorecard: Measure software development practices.
- CLoC: Calculate lines of code & comments.
- BinAbsInspector: Detect common C & C++ bugs using static binary analysis with Ghidra & Z3.
- Infer: Infer checks for null pointer dereferences, memory leaks, coding conventions and unavailable API’s in C & C++ code.
Scans run monthly and results are automatically published at https://intel.github.io/srs
The repository can be forked and the existing scans replaced or new ones added. All you need to add is a GitHub PAT to secrets with the name GHPAT.
- Create a workflow YAML file under
.github/workflows/my-new-scan.ymlwith the following required inputs:
on:
workflow_call:
inputs:
repo:
description: 'repo'
required: true
default: ''
type: string
rate-limit:
description: 'rate limit GitHub API requests'
required: false
default: 150
type: numberFor steps you can define whatever is needed to perform the scan as you would with a workflow. Use Upload-Artifact Action to store the results of the scan with a key that uniquely identifies the repo and the scan, for example some-repo.my-new-scan.results.zip). It is advisable to check the GitHub API rate limit and sleep if there are fewer then 150 calls remaining for your token.
- Add call to the new workflow in
.github/workflows/srs.yml:
on:
workflow_dispatch:
inputs:
...
my-new-scan:
description: 'Run my-new-scan workflow'
required: false
type: number
default: 0
...
jobs:
...
my-new-scan:
if: inputs.my-new-scan == 1
needs: matrix
secrets: inherit
strategy:
matrix: ${{fromJson(needs.matrix.outputs.matrix)}}
fail-fast: false # don't stop other jobs if one fails
uses: ./.github/workflows/my-new-scan.yml
with:
repo: ${{ matrix.repo }}- Add the new scan to the
nextjob'sneedslist:
next:
needs: [..., my-new-scan]- Add my-new-scan to the enabled workflows in
query.yml:
...
workflows:
description: 'List of workflows to enable (CSV)'
required: false
type: string
default: '...,my-new-scan'
...- Add the scan's result file (for example
my-new-scan.results.zip) to theaggregatefunction inquery/summary.sh.
for f in $(find $ARTIFACT_DIR -type f -name '*.my-new-scan.results.zip'); do
cp $f $ARTIFACT_DIR/aggregate-results/ || :
doneResults will saved and published on GitHub Pages as part of the next scan.