Add GitHub Actions integration about flawfinder HOT 31 OPEN

@yongyan-gh , can you take a look?

we have something similar: https://github.com/microsoft/sarif-actions

from flawfinder.

Not requiring a GitHub PAT is a great reason to merge this work, and I"m delighted to create an official action.

from flawfinder.

@michaelcfanning @jhutchings1 @eddynaka @yongyan-gh - now that SARIF output is in Flawfinder, I think that adding a GitHub Actions integration should be easy. Anyone interested in doing that, since for many use cases that's the final step?

from flawfinder.

Hi @david-a-wheeler , should we create a new repo only for the action or would u like to keep it in this repo?

from flawfinder.

@eddynaka - I have a mild preference to keeping in this repo. That way they can be kept in sync if necessary.

However, if that's inconvenient, a new repo is fine. The goal is to make it easy to use :-).

from flawfinder.

Here's maybe a better resource with a lot of details on how to write the action and workflow file so that we can surface it on Github.com in the UI.

https://partner.github.com/integration-resources/2021/03/09/pattern-integrating-with-code-scanning.html

The action can live in this repo but marketplace has a 1:1 mapping of repos to actions so if you anticipate the need for multiple actions to be published to marketplace they may need their own repos. I think for a scanner you'll probably only have 1 action so colocated would be great!

from flawfinder.

I expect the only action to be "scan this repo". It should be possible to configure the scan, but that should be doable with environment variables and such. We don't support a configuration file, but we could add that if it's important.

from flawfinder.

So, is someone volunteering to write the action & workflow file?

from flawfinder.

hi @david-a-wheeler,

in order to create boilerplate workflow and publish to github, we need to refill below information, can you pls review?
{
"name": "flawfinder",
"creator": "David A. Wheeler",
"description": "Flawfinder is a simple program that scans C/C++ source code and reports potential security flaws.",
"iconName": "flawfinder",
"categories": ["Code Scanning", "C", "C++"]
}

And also a svg icon file is required to show the flawfinder workflow in security tab. Can you please share the icon file?

from flawfinder.

@yongyan-gh - the JSON looks fine.

I don't think I have an svg file, but I could make one.

I just found this thing. Thoughts?: https://github.com/marketplace/actions/flawfinder-action

from flawfinder.

Hi @david-a-wheeler , I saw that but that kind of action:

1. Is owned by someone else (it's not "official")
2. It requires a GitHub PAT

With the change we are adding, we would create an official action that does not require the PAT and we would also make the changes in https://github.com/actions/starter-workflows so it would show flawfinder in the security tab as well.

Let us know if we should pursue and merge the action that we just created.
Thank y ou

from flawfinder.

Hi @david-a-wheeler , @yongyan-gh will create another PR fixing one issue with the SARIF and, once merged, we will finish the action.

from flawfinder.

@david-a-wheeler this is the PR fixing SARIF issue #52, please review.

from flawfinder.

@yongyan-gh - the JSON looks fine.

I don't think I have an svg file, but I could make one.

I just found this thing. Thoughts?: https://github.com/marketplace/actions/flawfinder-action

hi @david-a-wheeler please share the Flawfinder icon file in svg format once you create one.

from flawfinder.

I've made creating an icon a separate issue, here: #53

If someone has talent to do that, I'd love to know. Otherwise I'll create a "stub" & we can replace it later once someone with artistic talent does one.

from flawfinder.

Sounds like fun to create an icon for you. I can propose something. Tell me a little about the 'brand' or feeling you want to create in the community for your tool. :) It's C++, obviously, we find quality issues, there's a security focus. What else? :) Do you want a serious feel? Something more playful? etc.

from flawfinder.

@michaelcfanning - Good questions. Please continue in issue #53 so the icon discussions will be in one place.

from flawfinder.

Is this also being published to the GitHub Marketplace?

from flawfinder.

Hi @josepalafox , we are working on it :)

from flawfinder.

The starter workflow looked reasonable to me.

from flawfinder.

@david-a-wheeler , can u verify ur publish?
the action we created isn't there yet.

from flawfinder.

@eddynaka - what do I need to do? Yes, I'd like it published.

I'm distracted right now, but if people can give me clear pointers I'm be happy to finish the task.

from flawfinder.

@david-a-wheeler , my comment from the other thread:

Hi @david-a-wheeler , that action did not work: https://github.com/marketplace?type=&verification=&query=flawfinder+
Some references:
https://docs.github.com/en/actions/creating-actions/publishing-actions-in-github-marketplace

from flawfinder.

@david-a-wheeler can you pls publish the action again following the steps in the link Eddy sent?

from flawfinder.

Will do. I was on vacation, and then catching up from vacation.

from flawfinder.

I made some further changes. I don't think it's quite working, though hopefully it's closer. Suggestions?

from flawfinder.

Also: It appears that "Flawfinder" is taken, so I renamed the action "flawfinder_scan".

from flawfinder.

@david-a-wheeler thank you now I can see the action was published!
@eddynaka I updated the PR actions/starter-workflows#969 with the published action and version.

from flawfinder.

@yongyan-gh - Good, but it didn't seem to work when I tested it. Maybe my test was wrong?

I think the README isn't quite right (e.g., flawfinder should be flawfinder_scan) & we still need to get a logo in :-).

from flawfinder.

@david-a-wheeler I created PR #55 to update readme.md
From actions tab seems the action works.

from flawfinder.

@david-a-wheeler , just to let you know, yesterday the pr to the starter-workflow got merged.
If you access https://github.com/david-a-wheeler/flawfinder/security/code-scanning/setup you will see flawfinder there :) and that would create a github workflow ready to run.

Below the image and description:

from flawfinder.