Add static analysis workflow #4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Static Analysis" | |
on: | |
push: | |
branches: [ "main", "master" ] | |
schedule: | |
- cron: '0 0 * * *' | |
pull_request: | |
branches: '*' | |
jobs: | |
codeql: | |
name: GitHub CodeQL | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
# Initializes the CodeQL tools for scanning. | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v2 | |
with: | |
languages: ${{ matrix.language }} | |
queries: security-and-quality | |
- name: Install Deps, Configure and Build | |
run: | | |
./.github/workflows/codeql-buildscript.sh | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v2 | |
with: | |
category: "/language:cpp" | |
upload: false | |
id: step1 | |
# Filter out rules with low severity or high false positve rate | |
# Also filter out warnings in third-party code | |
- name: Filter out unwanted errors and warnings | |
uses: advanced-security/filter-sarif@v1 | |
with: | |
patterns: | | |
-**:cpp/path-injection | |
-**:cpp/world-writable-file-creation | |
-**:cpp/poorly-documented-function | |
-**:cpp/potentially-dangerous-function | |
-**:cpp/use-of-goto | |
-**:cpp/integer-multiplication-cast-to-long | |
-**:cpp/comparison-with-wider-type | |
-**:cpp/leap-year/* | |
-**:cpp/ambiguously-signed-bit-field | |
-**:cpp/suspicious-pointer-scaling | |
-**:cpp/suspicious-pointer-scaling-void | |
-**:cpp/unsigned-comparison-zero | |
-**/cmake*/Modules/** | |
input: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif | |
output: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif | |
- name: Upload CodeQL results to code scanning | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: ${{ steps.step1.outputs.sarif-output }} | |
category: "/language:cpp" | |
- name: Upload CodeQL results as an artifact | |
if: success() || failure() | |
uses: actions/upload-artifact@v4 | |
with: | |
name: codeql-results | |
path: ${{ steps.step1.outputs.sarif-output }} | |
retention-days: 5 | |
- name: Fail if a warning is found | |
run: | | |
./.github/workflows/fail_on_warning.py \ | |
${{ steps.step1.outputs.sarif-output }}/cpp.sarif | |
scan-build: | |
name: Clang scan-build | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Install Deps, Configure and Build | |
env: | |
WRAPPER: "scan-build --use-cc=cc --use-c++=c++ -sarif -o build/sarif" | |
run: | | |
./.github/workflows/codeql-buildscript.sh | |
- name: Install Deps, Configure and Build | |
env: | |
WRAPPER: "scan-build --use-cc=cc --use-c++=c++ -o build/scan-build-html" | |
run: | | |
./.github/workflows/codeql-buildscript.sh | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: "Scan-Build Bug Reports" | |
path: ${{ github.workspace }}/build/scan-build-html | |
- name: Bundle sarif | |
run: | | |
npx -y @microsoft/sarif-multitool merge build/sarif/*/*.sarif -o build/sarif/ | |
- name: Upload results to code scanning | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
category: "scan-build" | |
sarif_file: build/sarif/merged.sarif | |
- name: Fail if a warning is found | |
run: | | |
./.github/workflows/fail_on_warning.py build/sarif/merged.sarif | |
codechecker: | |
name: CodeChecker | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Install Deps, Configure and Build | |
run: | | |
./.github/workflows/codeql-buildscript.sh | |
- name: Run CodeChecker | |
uses: whisperity/codechecker-analysis-action@v1 | |
id: codechecker | |
with: | |
ctu: true | |
logfile: ${{ github.workspace }}/build/compile_commands.json | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: "CodeChecker Bug Reports" | |
path: ${{ steps.codechecker.outputs.result-html-dir }} | |
- name: Fail if a warning is found | |
if: ${{ steps.codechecker.outputs.warnings == 'true' }} | |
run: exit 1 |