├── .gitignore
├── CODE_OF_CONDUCT.md
├── Dockerfile
├── entrypoint.sh
├── LICENSE
├── action.yml
├── SECURITY.md
└── README.md


/.gitignore:
--------------------------------------------------------------------------------
1 | ################################################################################
2 | # This .gitignore file was automatically created by Microsoft(R) Visual Studio.
3 | ################################################################################
4 | 
5 | /.vs
6 | 


--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
 1 | # Microsoft Open Source Code of Conduct
 2 | 
 3 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
 4 | 
 5 | Resources:
 6 | 
 7 | - [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
 8 | - [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
 9 | - Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns
10 | 


--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM mcr.microsoft.com/dotnet/sdk:8.0
 2 | 
 3 | RUN mkdir /tools
 4 | 
 5 | RUN dotnet tool install --tool-path /tools Microsoft.CST.ApplicationInspector.Cli
 6 | 
 7 | # Attempt to also install a beta if it exists, this defaults to the standard release if it is newer
 8 | RUN dotnet tool install --tool-path /beta-tools Microsoft.CST.ApplicationInspector.Cli --prerelease
 9 | 
10 | COPY entrypoint.sh /entrypoint.sh
11 | 
12 | RUN chmod 777 /entrypoint.sh
13 | 
14 | ENTRYPOINT ["/entrypoint.sh"]
15 | 


--------------------------------------------------------------------------------
/entrypoint.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # $1 is the path relative to repo root to scan
 4 | # $2 is the output path relative to repo root.
 5 | # $3 is the output format
 6 | # $4 is the comma separated list to glob patterns to ignore
 7 | # $5 is the arguments
 8 | # $6 is if beta should be used
 9 | 
10 | if [ ${3,,} = "html" ]; then
11 |     echo "html output is not supported in the GitHub Action."
12 |     exit -1
13 | fi
14 | 
15 | if [ "$1" = "GITHUB_WORKSPACE" ]; then
16 |     ScanTarget=$GITHUB_WORKSPACE
17 | else
18 |     ScanTarget=$GITHUB_WORKSPACE/$1
19 | fi
20 | 
21 | if [ "$2" = "AppInspectorResults" ]; then
22 |     OutputPath=$GITHUB_WORKSPACE/$2.$3
23 | else
24 |     OutputPath=$GITHUB_WORKSPACE/$2
25 | fi
26 | 
27 | if [ "$4" != "," ]; then
28 |     IFS=',' read -ra SPLITS <<< "$4"
29 |     for i in "${SPLITS[@]}"; do
30 |         IgnoreArg = "${IgnoreArg},$GITHUB_WORKSPACE/$i"
31 |     done
32 |     IgnoreArg = "-g ${IgnoreArg:1}"
33 | fi
34 | 
35 | if [ "$6" = "true" ]; then
36 |     /beta-tools/appinspector analyze --no-show-progress -s "$ScanTarget" -o "$OutputPath" -f $3 $IgnoreArg $5
37 | else
38 |     /tools/appinspector analyze --no-show-progress -s "$ScanTarget" -o "$OutputPath" -f $3 $IgnoreArg $5
39 | fi


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 |     MIT License
 2 | 
 3 |     Copyright (c) Microsoft Corporation.
 4 | 
 5 |     Permission is hereby granted, free of charge, to any person obtaining a copy
 6 |     of this software and associated documentation files (the "Software"), to deal
 7 |     in the Software without restriction, including without limitation the rights
 8 |     to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 |     copies of the Software, and to permit persons to whom the Software is
10 |     furnished to do so, subject to the following conditions:
11 | 
12 |     The above copyright notice and this permission notice shall be included in all
13 |     copies or substantial portions of the Software.
14 | 
15 |     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 |     IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 |     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 |     AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 |     LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 |     OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 |     SOFTWARE
22 | 


--------------------------------------------------------------------------------
/action.yml:
--------------------------------------------------------------------------------
 1 | name: 'AppInspector'
 2 | description: 'Run Application Inspector Static Analysis to identify coding features of first or third party software components.'
 3 | inputs:
 4 |   location-to-scan:
 5 |     description: 'The path relative to repository root to scan.'
 6 |     required: false
 7 |     default: 'GITHUB_WORKSPACE'
 8 |   output-path:
 9 |     description: 'The path relative to file root to output to.'
10 |     required: false
11 |     default: 'AppInspectorResults'
12 |   output-format:
13 |     description: 'Output format [html|json|text|sarif]'
14 |     required: false
15 |     default: 'json'
16 |   file-path-exclusions:
17 |     description: 'Comma separated list of file path patterns to exclude.'
18 |     required: false
19 |     default: ','
20 |   arguments:
21 |     description: 'Other arguments to Application AppInspector'
22 |     required: false
23 |     default: ''
24 |   pre-release:
25 |     description: 'If there is pre-release version that is a later version number use that. Otherwise will use latest stable.'
26 |     required: false
27 |     default: false
28 | 
29 | branding:
30 |   icon: 'check-square'  
31 |   color: 'green'  
32 | runs:
33 |   using: 'docker'
34 |   image: 'Dockerfile'
35 |   args: 
36 |     - ${{ inputs.location-to-scan }}
37 |     - ${{ inputs.output-path }}
38 |     - ${{ inputs.output-format }}
39 |     - ${{ inputs.file-path-exclusions }}
40 |     - ${{ inputs.arguments }}
41 |     - ${{ inputs.pre-release }}
42 | 


--------------------------------------------------------------------------------
/SECURITY.md:
--------------------------------------------------------------------------------
 1 | <!-- BEGIN MICROSOFT SECURITY.MD V0.0.5 BLOCK -->
 2 | 
 3 | ## Security
 4 | 
 5 | Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
 6 | 
 7 | If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc751383(v=technet.10)), please report it to us as described below.
 8 | 
 9 | ## Reporting Security Issues
10 | 
11 | **Please do not report security vulnerabilities through public GitHub issues.**
12 | 
13 | Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://msrc.microsoft.com/create-report).
14 | 
15 | If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com).  If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://www.microsoft.com/en-us/msrc/pgp-key-msrc).
16 | 
17 | You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc). 
18 | 
19 | Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
20 | 
21 |   * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
22 |   * Full paths of source file(s) related to the manifestation of the issue
23 |   * The location of the affected source code (tag/branch/commit or direct URL)
24 |   * Any special configuration required to reproduce the issue
25 |   * Step-by-step instructions to reproduce the issue
26 |   * Proof-of-concept or exploit code (if possible)
27 |   * Impact of the issue, including how an attacker might exploit the issue
28 | 
29 | This information will help us triage your report more quickly.
30 | 
31 | If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://microsoft.com/msrc/bounty) page for more details about our active programs.
32 | 
33 | ## Preferred Languages
34 | 
35 | We prefer all communications to be in English.
36 | 
37 | ## Policy
38 | 
39 | Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://www.microsoft.com/en-us/msrc/cvd).
40 | 
41 | <!-- END MICROSOFT SECURITY.MD BLOCK -->


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Application Inspector GitHub Action
 2 | 
 3 | Microsoft Application Inspector is a software source code characterization tool that helps **identify coding features of first or third party software components** based on well-known library/API calls and is helpful in security and non-security use cases. It uses hundreds of rules and regex patterns to surface interesting characteristics of source code to aid in determining **what the software is** or **what it does** and received industry attention as a new and valuable contribution to OSS on [ZDNet](https://www.zdnet.com/article/microsoft-application-inspector-is-now-open-source-so-use-it-to-test-code-security/
 4 | ), [SecurityWeek](https://www.securityweek.com/microsoft-introduces-free-source-code-analyzer), [CSOOnline](https://www.csoonline.com/article/3514732/microsoft-s-offers-application-inspector-to-probe-untrusted-open-source-code.html), [Linux.com/news](https://www.linux.com/news/microsoft-application-inspector-is-now-open-source-so-use-it-to-test-code-security/), [HelpNetSecurity](https://www.helpnetsecurity.com/2020/01/17/microsoft-application-inspector/
 5 | ), Twitter and more and was first featured on [Microsoft.com](https://www.microsoft.com/security/blog/2020/01/16/introducing-microsoft-application-inspector/).
 6 | 
 7 | The tool supports scanning various programming languages including C, C++, C#, Java, JavaScript, HTML, Python, Objective-C, Go, Ruby, PowerShell and [more](https://github.com/microsoft/ApplicationInspector/wiki/2.1-Field:-applies_to-(languages-support)) and can scan projects with mixed language files.
 8 | 
 9 | Be sure to see our project wiki page for more help https://Github.com/Microsoft/ApplicationInspector/wiki for **illustrations** and additional information and help.
10 | 
11 | This Action calls the Analyze functionality of Application Inspector.
12 | 
13 | ## Usage
14 | 
15 | Add ApplicationInspector to your GitHub Actions pipeline like below to scan the repository root and output to `AppInspectorResults.json` in the repository root.
16 | 
17 | ```
18 | - uses: actions/checkout@v2
19 | - uses: microsoft/ApplicationInspector-Action@v1
20 | - uses: actions/upload-artifact@v2
21 |     with:
22 |         name: AppInspectorResults
23 |         path: AppInspectorResults.json
24 | ```
25 | 
26 | A common use case is to run Application Inspector in tags only mode
27 | 
28 | ```
29 | - uses: microsoft/ApplicationInspector-Action@v1
30 |       with:
31 |         arguments: -t
32 | ```
33 | 
34 | You can also specify a number of options to the action.  See the Application Inspector [wiki](https://github.com/microsoft/ApplicationInspector/wiki/1.-CLI-Usage#analyze-command) for guidance.  Use the documentation for the `analyze` command.
35 | 
36 | ```
37 | - uses: microsoft/ApplicationInspector-Action@v1
38 |   with:
39 |     location-to-scan: relative/path/in/repo
40 |     output-path: relative/path/in/repo
41 |     output-format: [json | text]
42 |     file-path-exclusions: comma,separated,glob,patterns
43 |     arguments: -any -arguments -to -analyze
44 |     pre-release: [ true | false ]
45 | ```
46 | 
47 | ## Main Project
48 | 
49 | The engine powering this GitHub Action is also available [here](https://github.com/Microsoft/ApplicationInspector) as a Cli.
50 | 
51 | # Contributing
52 | 
53 | This project welcomes contributions and suggestions.  Most contributions require you to agree to a
54 | Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
55 | the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
56 | 
57 | When you submit a pull request, a CLA bot will automatically determine whether you need to provide
58 | a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions
59 | provided by the bot. You will only need to do this once across all repos using our CLA.
60 | 
61 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
62 | For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
63 | contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
64 | 


--------------------------------------------------------------------------------