Comments (31)
@yongyan-gh , can you take a look?
we have something similar: https://github.com/microsoft/sarif-actions
from flawfinder.
Not requiring a GitHub PAT is a great reason to merge this work, and I"m delighted to create an official action.
from flawfinder.
@michaelcfanning @jhutchings1 @eddynaka @yongyan-gh - now that SARIF output is in Flawfinder, I think that adding a GitHub Actions integration should be easy. Anyone interested in doing that, since for many use cases that's the final step?
from flawfinder.
Hi @david-a-wheeler , should we create a new repo only for the action or would u like to keep it in this repo?
from flawfinder.
@eddynaka - I have a mild preference to keeping in this repo. That way they can be kept in sync if necessary.
However, if that's inconvenient, a new repo is fine. The goal is to make it easy to use :-).
from flawfinder.
Here's maybe a better resource with a lot of details on how to write the action and workflow file so that we can surface it on Github.com in the UI.
The action can live in this repo but marketplace has a 1:1 mapping of repos to actions so if you anticipate the need for multiple actions to be published to marketplace they may need their own repos. I think for a scanner you'll probably only have 1 action so colocated would be great!
from flawfinder.
I expect the only action to be "scan this repo". It should be possible to configure the scan, but that should be doable with environment variables and such. We don't support a configuration file, but we could add that if it's important.
from flawfinder.
So, is someone volunteering to write the action & workflow file?
from flawfinder.
hi @david-a-wheeler,
in order to create boilerplate workflow and publish to github, we need to refill below information, can you pls review?
{
"name": "flawfinder",
"creator": "David A. Wheeler",
"description": "Flawfinder is a simple program that scans C/C++ source code and reports potential security flaws.",
"iconName": "flawfinder",
"categories": ["Code Scanning", "C", "C++"]
}
And also a svg icon file is required to show the flawfinder workflow in security tab. Can you please share the icon file?
from flawfinder.
@yongyan-gh - the JSON looks fine.
I don't think I have an svg file, but I could make one.
I just found this thing. Thoughts?: https://github.com/marketplace/actions/flawfinder-action
from flawfinder.
Hi @david-a-wheeler , I saw that but that kind of action:
- Is owned by someone else (it's not "official")
- It requires a GitHub PAT
With the change we are adding, we would create an official action that does not require the PAT and we would also make the changes in https://github.com/actions/starter-workflows so it would show flawfinder in the security tab as well.
Let us know if we should pursue and merge the action that we just created.
Thank y ou
from flawfinder.
Hi @david-a-wheeler , @yongyan-gh will create another PR fixing one issue with the SARIF and, once merged, we will finish the action.
from flawfinder.
@david-a-wheeler this is the PR fixing SARIF issue #52, please review.
from flawfinder.
@yongyan-gh - the JSON looks fine.
I don't think I have an svg file, but I could make one.
I just found this thing. Thoughts?: https://github.com/marketplace/actions/flawfinder-action
hi @david-a-wheeler please share the Flawfinder icon file in svg format once you create one.
from flawfinder.
I've made creating an icon a separate issue, here: #53
If someone has talent to do that, I'd love to know. Otherwise I'll create a "stub" & we can replace it later once someone with artistic talent does one.
from flawfinder.
Sounds like fun to create an icon for you. I can propose something. Tell me a little about the 'brand' or feeling you want to create in the community for your tool. :) It's C++, obviously, we find quality issues, there's a security focus. What else? :) Do you want a serious feel? Something more playful? etc.
from flawfinder.
@michaelcfanning - Good questions. Please continue in issue #53 so the icon discussions will be in one place.
from flawfinder.
Is this also being published to the GitHub Marketplace?
from flawfinder.
Hi @josepalafox , we are working on it :)
from flawfinder.
The starter workflow looked reasonable to me.
from flawfinder.
@david-a-wheeler , can u verify ur publish?
the action we created isn't there yet.
from flawfinder.
@eddynaka - what do I need to do? Yes, I'd like it published.
I'm distracted right now, but if people can give me clear pointers I'm be happy to finish the task.
from flawfinder.
@david-a-wheeler , my comment from the other thread:
Hi @david-a-wheeler , that action did not work: https://github.com/marketplace?type=&verification=&query=flawfinder+
Some references:
https://docs.github.com/en/actions/creating-actions/publishing-actions-in-github-marketplace
from flawfinder.
@david-a-wheeler can you pls publish the action again following the steps in the link Eddy sent?
from flawfinder.
Will do. I was on vacation, and then catching up from vacation.
from flawfinder.
I made some further changes. I don't think it's quite working, though hopefully it's closer. Suggestions?
from flawfinder.
Also: It appears that "Flawfinder" is taken, so I renamed the action "flawfinder_scan".
from flawfinder.
@david-a-wheeler thank you now I can see the action was published!
@eddynaka I updated the PR actions/starter-workflows#969 with the published action and version.
from flawfinder.
@yongyan-gh - Good, but it didn't seem to work when I tested it. Maybe my test was wrong?
I think the README isn't quite right (e.g., flawfinder
should be flawfinder_scan
) & we still need to get a logo in :-).
from flawfinder.
@david-a-wheeler I created PR #55 to update readme.md
From actions tab seems the action works.
from flawfinder.
@david-a-wheeler , just to let you know, yesterday the pr to the starter-workflow got merged.
If you access https://github.com/david-a-wheeler/flawfinder/security/code-scanning/setup you will see flawfinder there :) and that would create a github workflow ready to run.
Below the image and description:
from flawfinder.
Related Issues (20)
- How i can get an output with .csv format? In python,i use "flawfinder ./test" HOT 1
- `c_printf` possible false positive for format macro constant HOT 1
- Add an svg icon file for GitHub actions HOT 56
- Consider rewriting this to use joern or alternative HOT 1
- Only output CSV when using CSV option HOT 1
- std::istream::read() reports security issue, false alert? HOT 4
- Feature Request: Support Stream Use
- Presence of ioctl
- Add a --ignore option
- Invalid helpUri generated HOT 1
- SARIF artifact location paths HOT 3
- Character Encoding Error on UTF-8 Encoded Source File with U+0441 HOT 18
- Warn when PQExec is called with a non-constant to warn about SQL injection in PostgreSQL
- --csv option wont output hits to csv file from mac terminal
- FF1057 is missing CWE attribution in the warning text HOT 1
- Flawfinder does scan the directory with symlinks and exits quietly with error code HOT 1
- binary/hex integer literals with separators lead to parse error HOT 2
- Flawfinder reports abseil::StrCat the same as std:strcat HOT 1
- Can I Modfy more CWE? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flawfinder.