Skip to content

Commit

Permalink
Add SAST workflows
Browse files Browse the repository at this point in the history
  • Loading branch information
szsam committed Jul 29, 2023
1 parent bb15505 commit cd66acb
Show file tree
Hide file tree
Showing 6 changed files with 255 additions and 0 deletions.
58 changes: 58 additions & 0 deletions .github/workflows/JacobDomagala-StaticAnalysis.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
name: Static analysis

on:
# Will run on push when merging to 'branches'. The output will be shown in the console
push:
branches:
- develop
- master
- main
- sast

# 'pull_request_target' allows this Action to also run on forked repositories
# The output will be shown in PR comments (unless the 'force_console_print' flag is used)
pull_request_target:
branches:
- "*"

jobs:
static_analysis:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v2

#- name: setup init_script
# shell: bash
# run: |
# echo "#!/bin/bash

# # Input args provided by StaticAnalysis action
# root_dir=\${1}
# build_dir=\${2}
# echo \"Hello from the init script! First arg=\${root_dir} second arg=\${build_dir}\"

# add-apt-repository ppa:oibaf/graphics-drivers
# apt update && apt upgrade
# apt install -y libvulkan1 mesa-vulkan-drivers vulkan-utils" > init_script.sh

- name: Run static analysis
uses: JacobDomagala/StaticAnalysis@master
with:
# # Exclude any issues found in ${Project_root_dir}/lib
# exclude_dir: lib

use_cmake: false

# # Additional apt packages that need to be installed before running Cmake
# apt_pckgs: software-properties-common libglu1-mesa-dev freeglut3-dev mesa-common-dev

# # Additional script that will be run (sourced) AFTER 'apt_pckgs' and before running Cmake
# init_script: init_script.sh

# # (Optional) clang-tidy args
# clang_tidy_args: -checks='*,fuchsia-*,google-*,zircon-*,abseil-*,modernize-use-trailing-return-type'

# # (Optional) cppcheck args
# cppcheck_args: --enable=all --suppress=missingInclude

86 changes: 86 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL"

on:
push:
branches: [ "master", "sast" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "master" ]
#schedule:
# - cron: '31 2 * * 1'

jobs:
analyze:
name: Analyze
# Runner size impacts CodeQL analysis time. To learn more, please see:
# - https://gh.io/recommended-hardware-resources-for-running-codeql
# - https://gh.io/supported-runners-and-hardware-resources
# - https://gh.io/using-larger-runners
# Consider using larger runners for possible analysis time improvements.
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
permissions:
actions: read
contents: read
security-events: write

strategy:
fail-fast: false
matrix:
language: [ 'cpp' ]
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
# Use only 'java' to analyze code written in Java, Kotlin or both
# Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support

steps:
- name: Checkout repository
uses: actions/checkout@v3
with:
submodules: recursive
fetch-depth: 0

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.

# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality


# Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v2

# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun

# If the Autobuild fails above, remove it and uncomment the following three lines.
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.

# - run: |
# echo "Run, Build Application using script"
# ./location_of_script_within_repo/buildscript.sh

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{matrix.language}}"

24 changes: 24 additions & 0 deletions .github/workflows/cpp-linter.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
name: cpp-linter

on:
push:
pull_request:

jobs:
cpp-linter:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: cpp-linter/cpp-linter-action@v2
id: linter
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
# style: file
files-changed-only: false

- name: Fail fast?!
if: steps.linter.outputs.checks-failed > 0
run: echo "Some files failed the linting checks!"
# for actual deployment
# run: exit 1
25 changes: 25 additions & 0 deletions .github/workflows/cppcheck.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
name: cppcheck-action-test
on: [push]

jobs:
build:
name: cppcheck-test
runs-on: ubuntu-latest
#runs-on: self-hosted
permissions:
contents: write
steps:
- uses: actions/checkout@v2

- name: cppcheck
uses: deep5050/cppcheck-action@main
with:
github_token: ${{ secrets.GITHUB_TOKEN}}
#other_options: -j16


- name: publish report
uses: mikeal/publish-to-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
BRANCH_NAME: 'sast' # your branch name goes here
38 changes: 38 additions & 0 deletions .github/workflows/flawfinder.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

name: flawfinder

on:
push:
branches: [ "master", "sast" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "master" ]
#schedule:
# - cron: '19 12 * * 3'

jobs:
flawfinder:
name: Flawfinder
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v3

- name: flawfinder_scan
uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c
with:
arguments: '--sarif ./'
output: 'flawfinder_results.sarif'

- name: Upload analysis results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{github.workspace}}/flawfinder_results.sarif
24 changes: 24 additions & 0 deletions .github/workflows/trunk-check.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
name: trunk-io
on: [push, pull_request]
concurrency:
group: ${{ github.head_ref || github.run_id }}
cancel-in-progress: true

permissions: read-all

jobs:
trunk_check:
name: Trunk Check Runner
runs-on: ubuntu-latest
permissions:
checks: write # For trunk to post annotations
contents: read # For repo checkout

steps:
- name: Checkout
uses: actions/checkout@v3

- name: Trunk Check
uses: trunk-io/trunk-action@v1
with:
check-mode: all

1 comment on commit cd66acb

@github-actions
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Flaws found

Error: encoding error in ./examples/rnn-denoise/mfcc.c
'utf-8' codec can't decode byte 0xa3 in position 1052: invalid start byte

Python3 requires input character data to be perfectly encoded;
it also requires perfectly correct system encoding settings.
Unfortunately, your data and/or system settings are not.
Here are some options:
1. Run: PYTHONUTF8=0 python3 flawfinder
   if your system and and data are all properly set up for
   a non-UTF-8 encoding.
2. Run: PYTHONUTF8=0 LC_ALL=C.ISO-2022 python3 flawfinder
   if your data has a specific encoding such as ISO-2022
   (replace "ISO-2022" with the name of your encoding,
   and optionally replace "C" with your native language).
3. Run: PYTHONUTF8=0 LC_ALL=C.ISO-8859-1 python3 flawfinder
   if your data has an unknown or inconsistent encoding
   (ISO-8859-1 encoders normally allow anything).
4. Convert all your source code to the UTF-8 encoding.
   The system program "iconv" or Python program "cvt2utf" can
   do this (for cvt2utf, you can use "pip install cvt2utf").
5. Run: python2 flawfinder
   (That is, use Python 2 instead of Python 3).
Some of these options may not work depending on circumstance.
In the long term, we recommend using UTF-8 for source code.
For more information, see the documentation.

Please sign in to comment.