├── README.md └── action.yml /README.md: -------------------------------------------------------------------------------- 1 | # Security-Code-Scan Results Action 2 | 3 | This action is designed to run as part of a workflow that builds projects referencing NuGet [SecurityCodeScan.VS2019](https://www.nuget.org/packages/SecurityCodeScan.VS2019/). 4 | 5 | It produces a GitHub compatible SARIF file for uploading to the repository 'Code scanning alerts'. 6 | 7 | # Usage 8 | 9 | See [action.yml](action.yml) 10 | 11 | ### Input Parameters 12 | 13 | **sarif_directory**: _(optional)_ The output directory where SARIF files should be collected. 14 | 15 | ### Workflow Examples 16 | 17 | ```yaml 18 | on: 19 | push: 20 | 21 | jobs: 22 | SCS: 23 | runs-on: ubuntu-latest 24 | steps: 25 | - uses: actions/checkout@v2 26 | 27 | - name: Set up projects 28 | uses: security-code-scan/security-code-scan-add-action@v1.2 29 | 30 | - name: Build 31 | run: | 32 | dotnet restore 33 | dotnet build 34 | 35 | - name: Convert sarif for uploading to GitHub 36 | uses: security-code-scan/security-code-scan-results-action@v1 37 | 38 | - name: Upload sarif 39 | uses: github/codeql-action/upload-sarif@v1 40 | ``` 41 | 42 | For .NET 4.x example see [FullDotNetWebApp demo repository](https://github.com/security-code-scan/FullDotNetWebApp). 43 | -------------------------------------------------------------------------------- /action.yml: -------------------------------------------------------------------------------- 1 | name: 'SecurityCodeScan' 2 | description: 'Security Code Scan action to upload code scanning results' 3 | branding: 4 | icon: 'check-circle' 5 | color: 'purple' 6 | inputs: 7 | sarif_directory: 8 | description: The output directory where SARIF files should be collected. 9 | required: false 10 | default: '../results' 11 | runs: 12 | using: "composite" 13 | steps: 14 | - name: Convert sarif 15 | shell: bash 16 | run: | 17 | dotnet tool install --global Sarif.Multitool --version 2.3.10 18 | outputDir="${{ inputs.sarif_directory }}" 19 | mkdir $outputDir 20 | 21 | cat << EOF > convert.js 22 | const fs = require('fs') 23 | 24 | var args = process.argv.slice(2); 25 | var sarif = JSON.parse(fs.readFileSync(args[0], "utf8")); 26 | 27 | for (run of sarif.runs) { 28 | run.tool.driver.name = "SecurityCodeScan"; 29 | run.tool.driver.fullName = "Vulnerability Patterns Detector for C# and VB.NET"; 30 | run.tool.driver.informationUri = "https://security-code-scan.github.io"; 31 | 32 | run.results = run.results.filter((e => e.ruleId.startsWith("SCS"))); 33 | run.tool.driver.rules = run.tool.driver.rules.filter((e => e.id.startsWith("SCS"))); 34 | 35 | for (let i = 0; i < run.results.length; ++i) { 36 | run.results[i].ruleIndex = undefined; 37 | run.results[i].relatedLocations = undefined; 38 | 39 | if (run.results[i].locations === undefined) { 40 | const match = run.results[i].message.text.match(/(.*) in (.*)\((\d+)\)(:.*)/); 41 | run.results[i].message.text = match[1]; 42 | run.results[i].locations = [{ 43 | "physicalLocation" : { 44 | "artifactLocation" : { 45 | "uri" : "file:///" + match[2].replace(/\\\\/g, "/") 46 | }, 47 | "region" : { 48 | "startLine": Number(match[3]), 49 | "startColumn": 1, 50 | "endLine": Number(match[3]), 51 | "endColumn": 1 52 | } 53 | } 54 | }]; 55 | } 56 | } 57 | 58 | for (rule of run.tool.driver.rules) { 59 | rule.shortDescription = undefined; 60 | rule.help = { "text" : rule.helpUri}; 61 | } 62 | 63 | run.language = undefined; 64 | } 65 | 66 | var converted = JSON.stringify(sarif, null, 2); 67 | fs.writeFileSync(args[1], converted); 68 | EOF 69 | 70 | i=0 71 | for sarifFile in $(find ./ -name '*.sarif') 72 | do 73 | sarif transform $sarifFile --output $sarifFile -f --sarif-output-version Current 74 | node convert.js $sarifFile $sarifFile 75 | mv $sarifFile $outputDir/$((i++)).sarif 76 | done 77 | --------------------------------------------------------------------------------