- DarkLight
- PDF
Integrating CodeScan with Github Actions
Running CodeScan SCA jobs from Github Workflow
You can now run CodeScan static code analysis jobs from Github workflow. The codescan action will produce a SARIF report file with the analysis result.
There are only a few lines to add to your .YML file for codescan to be triggered.
First, we'll need to add your CodeScan token as a variable we can access in our .YML file.
- Open your project and navigate to
Repository Settings > Secrets > Add new secret
. - Add your token with the name
codescan_token
and check theSecured
box. To learn how to generate a token, see HERE.
Now you'll be able to access this variable by using $codescan_token
in your .YML file.
If you do not have a workflow setup on your GitHub Repository, go to Actions > New workflow
to create a .yml workflow.
Add the following into your .YML file in the workflow:
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Cache files
uses: actions/cache@v2
with:
path: |
~/.sonar
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Run Codescan On Push
if: github.event_name == 'push'
uses: codescan-io/codescan-scanner-action@1.4
with:
organization: ‘Enter organization key here’
projectKey: ‘Enter project key here’
login: ${{ secrets.codescan_token }}
generateSarifFile: true
failOnRedQualityGate: true
- name: Run Codescan On PR
if: github.event_name == 'pull_request'
uses: codescan-io/codescan-scanner-action@1.4
with:
organization: ‘Enter organization key here’
projectKey: ‘Enter project key here’
login: ${{ secrets.codescan_token }}
generateSarifFile: true
failOnRedQualityGate: true
args: |
sonar.pullrequest.branch=${{github.head_ref}}
sonar.pullrequest.base=${{github.base_ref}}
sonar.pullrequest.key=${{github.event.number}}
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: codescan.sarif
You will need to replace the placeholder variables (in single quotes) in the env section of the script with your Project Key and Organization Key.
failOnRedQualityGate
parameter default status is set to false. When set to true, the pipeline in the GitHub actions fails if the Quality Gate state changes to red (fails).
The failOnRedQualityGate
parameter is available on CodeScan scanner action version 1.4 and later.
Now, you will be able to view the .yml workflow on your repository.
And also check for the name of the master branch on both CodeScan platform and Git repository, as the new Git update changed the name of master branch to main.
If the name on CodeScan platform is not the same as Git repository, go to your CodeScan project
and then navigate to Dashboard > Administration > Branches & Pull Requests > Actions
and change the branch name.
The branches names and comparisons are set by the following parameters:
sonar.pullrequest.key
: The pull request numbersonar.pullrequest.base
: The comparison branch for pull request type branchessonar.pullrequest.branch
: The name of the branch
The uploaded SARIF file in the .yml helps you to get the code analysis reports in two ways:
For the files already existing in the repository, results can be found under code scanning alerts under the
Security
tab on Github repository.
For the new files being uploaded to the repository, you can view the analysis during the pull-requests on GitHub by clicking on the details:
Select the relevant pull-request and then click on
Details
.
Once you click on the
Details
, go toCode scanning results > CodeScan
.
Results are categorized as follows:
- All the bugs and vulnerabilities are marked as ERRORS.
- Whereas, all the major and minor code smells are marked as WARNINGS.
This .yml file helps you to run an analysis on the project while linking it to CodeScan.
You can go to the CI workflow
under Git actions
to view the analysis.