From ad8c4aadf34e36a2d5de05d3077a17e8f7bd58e6 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Tue, 22 Jun 2021 19:17:03 -0700 Subject: [PATCH 1/7] Add Github Action required files and test workflow. --- .github/workflows/main.yml | 16 ++++++++++++++++ Dockerfile | 15 +++++++++++++++ action.yml | 12 ++++++++++++ entrypoint.sh | 5 +++++ 4 files changed, 48 insertions(+) create mode 100644 .github/workflows/main.yml create mode 100644 Dockerfile create mode 100644 action.yml create mode 100644 entrypoint.sh diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000..e14c92e --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,16 @@ +on: [push] + +jobs: + sarif: + runs-on: ubuntu-latest + name: Flawfinder + steps: + # To use this repository's private action, + # you must check out the repository + - name: Checkout + uses: actions/checkout@v2 + + - name: Flawfinder action step + uses: ./ # Uses an action in the root directory + with: + command: '--version' diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..daa167a --- /dev/null +++ b/Dockerfile @@ -0,0 +1,15 @@ +# Container image that runs your code +FROM ubuntu:20.04 + +# Copies your code file from your action repository to the filesystem path `/` of the container +COPY entrypoint.sh /entrypoint.sh + + +RUN apt update -y + +RUN apt install python3-pip -y + +RUN pip install flawfinder + +# Code file to execute when the docker container starts up (`entrypoint.sh`) +ENTRYPOINT ["/entrypoint.sh"] diff --git a/action.yml b/action.yml new file mode 100644 index 0000000..cd4b566 --- /dev/null +++ b/action.yml @@ -0,0 +1,12 @@ +name: 'Flawfinder' +description: 'Execute Flawfinder' +inputs: + command: + description: 'Command to be sent to Flawfinder' + required: false + default: '--help' +runs: + using: 'docker' + image: 'Dockerfile' + args: + - ${{ inputs.command }} diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100644 index 0000000..7c35a4b --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,5 @@ +#!/bin/sh -l + +flawfinder $1 + +echo "Executed with success." From ce83692cd32b00474859bbe3dd0d2984a262389c Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Tue, 22 Jun 2021 19:17:59 -0700 Subject: [PATCH 2/7] Grant shell script exeuction permission --- entrypoint.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 entrypoint.sh diff --git a/entrypoint.sh b/entrypoint.sh old mode 100644 new mode 100755 From 70014135c9b2a373ab67115d00a2a6af717776bb Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Wed, 23 Jun 2021 12:23:34 -0700 Subject: [PATCH 3/7] Update workflow --- .github/workflows/main.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index e14c92e..8696459 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,9 +1,13 @@ on: [push] jobs: - sarif: - runs-on: ubuntu-latest + flawfinder: name: Flawfinder + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write steps: # To use this repository's private action, # you must check out the repository @@ -13,4 +17,9 @@ jobs: - name: Flawfinder action step uses: ./ # Uses an action in the root directory with: - command: '--version' + command: '--sarif ./ > flawfinder-results.sarif' + + - name: Upload analysis results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: flawfinder-results.sarif From c53794a24bbbdb7d01c7af3acec700a2d982073f Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Wed, 23 Jun 2021 12:33:34 -0700 Subject: [PATCH 4/7] specify upload sarif file path --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 8696459..bf77663 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -22,4 +22,4 @@ jobs: - name: Upload analysis results to GitHub Security tab uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: flawfinder-results.sarif + sarif_file: ./flawfinder-results.sarif From fc471e1c63c9e273bf13bf5291458687b5cd60de Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Thu, 24 Jun 2021 11:56:59 -0700 Subject: [PATCH 5/7] update actions files and readme. --- .github/workflows/main.yml | 14 ++++++++------ Dockerfile | 7 +------ README.md | 21 +++++++++++++++++++++ action.yml | 15 ++++++++++----- entrypoint.sh | 4 +++- 5 files changed, 43 insertions(+), 18 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index bf77663..222e7a6 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -4,10 +4,6 @@ jobs: flawfinder: name: Flawfinder runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write steps: # To use this repository's private action, # you must check out the repository @@ -17,9 +13,15 @@ jobs: - name: Flawfinder action step uses: ./ # Uses an action in the root directory with: - command: '--sarif ./ > flawfinder-results.sarif' + arguments: '--sarif ./' + output: 'flawfinder_results.sarif' + + - name: Upload a Build Artifact + uses: actions/upload-artifact@v2.2.4 + with: + path: flawfinder_results.sarif - name: Upload analysis results to GitHub Security tab uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: ./flawfinder-results.sarif + sarif_file: ${{github.workspace}}/flawfinder_results.sarif diff --git a/Dockerfile b/Dockerfile index daa167a..a76eeb8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,14 +1,9 @@ # Container image that runs your code -FROM ubuntu:20.04 +FROM python:3 # Copies your code file from your action repository to the filesystem path `/` of the container COPY entrypoint.sh /entrypoint.sh - -RUN apt update -y - -RUN apt install python3-pip -y - RUN pip install flawfinder # Code file to execute when the docker container starts up (`entrypoint.sh`) diff --git a/README.md b/README.md index d8f0fbf..053d58d 100644 --- a/README.md +++ b/README.md @@ -94,6 +94,27 @@ vulnerabilities in programs that cannot be built or cannot be linked. Flawfinder also doesn't get as confused by macro definitions and other oddities that more sophisticated tools have trouble with. +# Flawfinder Github Action + +## Usage + +See [action.yml](https://github.com/david-a-wheeler/flawfinder/blob/main/action.yml) + +Create a .yml file under .github/workflows with the following contents: + +### Basic: +````yml +- name: Flawfinder + uses: david-a-wheeler/flawfinder@v1.0 + with: + arguments: '--sarif ./' + output: 'flawfinder_results.sarif' +```` +### Input options: +- arguments: Flawfinder command arguments. +Visit https://github.com/david-a-wheeler/flawfinder/blob/master/README.md#usage to check all parameters. +- output: Flawfinder output file name. Can be uploaded to Github. + # Contributions We love contributions! For more information on contributing, see diff --git a/action.yml b/action.yml index cd4b566..f1a9a25 100644 --- a/action.yml +++ b/action.yml @@ -1,12 +1,17 @@ name: 'Flawfinder' description: 'Execute Flawfinder' inputs: - command: - description: 'Command to be sent to Flawfinder' - required: false - default: '--help' + arguments: + description: 'Command arguments to be sent to Flawfinder' + required: true + default: '' + output: + description: 'Output file name' + required: true + default: '' runs: using: 'docker' image: 'Dockerfile' args: - - ${{ inputs.command }} + - ${{ inputs.arguments }} + - ${{ inputs.output }} diff --git a/entrypoint.sh b/entrypoint.sh index 7c35a4b..1aaac26 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,5 +1,7 @@ #!/bin/sh -l +# $1 arguments +# $2 output filename -flawfinder $1 +flawfinder $1 > $2 echo "Executed with success." From c4f58cca723371f18b51b75e2cffb50e636707db Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Thu, 24 Jun 2021 12:02:17 -0700 Subject: [PATCH 6/7] scan specific file so the workflow will not report any error --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 222e7a6..b93d3a9 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -13,7 +13,7 @@ jobs: - name: Flawfinder action step uses: ./ # Uses an action in the root directory with: - arguments: '--sarif ./' + arguments: '--sarif ./setup.py' output: 'flawfinder_results.sarif' - name: Upload a Build Artifact From f5025a3c80be6c689f77ed8ddde376ba21776f18 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Thu, 24 Jun 2021 15:01:02 -0700 Subject: [PATCH 7/7] update readme --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 053d58d..32df598 100644 --- a/README.md +++ b/README.md @@ -103,13 +103,14 @@ See [action.yml](https://github.com/david-a-wheeler/flawfinder/blob/main/action. Create a .yml file under .github/workflows with the following contents: ### Basic: -````yml +```yml - name: Flawfinder uses: david-a-wheeler/flawfinder@v1.0 with: arguments: '--sarif ./' output: 'flawfinder_results.sarif' -```` +``` + ### Input options: - arguments: Flawfinder command arguments. Visit https://github.com/david-a-wheeler/flawfinder/blob/master/README.md#usage to check all parameters.