microsoft / devskim-action Goto Github PK

View Code? Open in Web Editor NEW

36.0 5.0 14.0 41 KB

The GitHub Action for DevSkim

License: MIT License

Dockerfile 18.38% Shell 81.62%

devskim-action's Introduction

DevSkim

DevSkim is security linter that highlights common security issues in source code.

The DevSkim GitHub Action outputs a sarif file compatible with GitHub's Security Issues view.

Usage

Add DevSkim to your GitHub Actions pipeline like below.

    - uses: actions/checkout@v4
    - uses: microsoft/DevSkim-Action@v1
    - uses: github/codeql-action/upload-sarif@v2
      with:
        sarif_file: devskim-results.sarif

You can also specify a number of options to the action.

    - uses: microsoft/devskim-action@v1
      with:
        directory-to-scan: path/to/scan
        should-scan-archives: false
        output-filename: devskim-results.sarif
        output-directory: path/to/output (appended to $GITHUB_WORKSPACE)
        ignore-globs: "**/.git/**,*.txt"
        exclude-rules: DS176209,DS148264
        options-json: path/to/options.json
        extra-options: --args --to --devskimAnalyze

Arguments

The arguments specified are provided to the DevSkim CLI's Analyze command. See the DevSkim Wiki for detailed usage instruction.

directory-to-scan

Relative path in $GITHUB_WORKSPACE for DevSkim to Scan. Equivalent to the --source-code argument to Analyze.

should-scan-archives

DevSkim can peek into archives to scan the files contained inside them. Setting this to true will enable that behavior. Equivalent to the --crawl-archives argument to Analyze.

output-filename

The filename to use for the results of the Analyze scan. Along with output-directory equivalent to the --output-file argument to Analyze.

output-directory

Relative path to a directory in $GITHUB_WORKSPACE to emit the output file, default to output in the root of $GITHUB_WORKSPACE with the specified output-filename.

ignore-globs

Files which match any of these globs will be skipped during analysis. Equivalent to the --ignore-globs argument to Analyze.

exclude-rules

Comma separated list of Rule IDs to skip during analysis. Equivalent to the --ignore-rule-ids argument to Analyze.

options-json

Relative path in $GITHUB_WORKSPACE to a json serialiation of a SerializedAnalyzeCommandOptions object. Equivalent to the --options-json argument to Analyze.

extra-options

Use this field to specify any other arguments to the DevSkim Analyze command. See the DevSkim Wiki for available options and usage documentation.

Features

Built-in ruleset highlighting common security issues in source code
Support for scanning code contained in archives
Information and guidance provided for identified security issues
Broad language support including: C, C++, C#, Cobol, Go, Java, Javascript/Typescript, Python, and more.

Main Project

The DevSkim engine powering this GitHub Action is also available here as a Cli and as IDE extensions for Visual Studio and Visual Studio Code.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

devskim-action's People

Contributors

Stargazers

Watchers

Forkers

taffywrinkle claudiusgonzo machiry mortenskou rose2161 harmzway test-mass-forker-org-1 naruno ugreg oboukli ericbagas-wistkey berniewhite maj113 scrub-ai

devskim-action's Issues

Planning to upgrade logo on GitHub Marketplace to Microsoft logo by end of May 2021

Team,
We are planning to upgrade the logo for all 13 GitHub Actions projects listed on the GitHub Marketplace to the official Microsoft logo.

We'd like to make this change by the end of May 2021.

Please let us know if you have any objection, otherwise we'll proceed.

Tool 'microsoft.cst.devskim.cli' failed to install

https://github.com/ben-manes/caffeine/actions/runs/3279477252

/usr/bin/docker build -t 8d5581:d182c176c6074ef38b83ea8b6dbb4126 -f "/home/runner/work/_actions/microsoft/DevSkim-Action/v1/Dockerfile" "/home/runner/work/_actions/microsoft/DevSkim-Action/v1"
[90](https://github.com/ben-manes/caffeine/actions/runs/3279477252/jobs/5399124373#step:2:90)
  Sending build context to Docker daemon  15.36kB
[91](https://github.com/ben-manes/caffeine/actions/runs/3279477252/jobs/5399124373#step:2:91)
  
[92](https://github.com/ben-manes/caffeine/actions/runs/3279477252/jobs/5399124373#step:2:92)
  Step 1/6 : FROM mcr.microsoft.com/dotnet/sdk:5.0
[93](https://github.com/ben-manes/caffeine/actions/runs/3279477252/jobs/5399124373#step:2:93)
   ---> 9fec788bd1f9
[94](https://github.com/ben-manes/caffeine/actions/runs/3279477252/jobs/5399124373#step:2:94)
  Step 2/6 : RUN mkdir /tools
[95](https://github.com/ben-manes/caffeine/actions/runs/3279477252/jobs/5399124373#step:2:95)
   ---> Using cache
[96](https://github.com/ben-manes/caffeine/actions/runs/3279477252/jobs/5399124373#step:2:96)
   ---> 7e55326a1bf8
[97](https://github.com/ben-manes/caffeine/actions/runs/3279477252/jobs/5399124373#step:2:97)
  Step 3/6 : RUN dotnet tool install --tool-path /tools Microsoft.CST.DevSkim.Cli
[98](https://github.com/ben-manes/caffeine/actions/runs/3279477252/jobs/5399124373#step:2:98)
   ---> Running in 6a075c1ef3ad
[99](https://github.com/ben-manes/caffeine/actions/runs/3279477252/jobs/5399124373#step:2:99)
  error NU1202: Package Microsoft.CST.DevSkim.CLI 0.6.30 is not compatible with net5.0 (.NETCoreApp,Version=v5.0) / any. Package Microsoft.CST.DevSkim.CLI 0.6.30 supports: net6.0 (.NETCoreApp,Version=v6.0) / any
[100](https://github.com/ben-manes/caffeine/actions/runs/3279477252/jobs/5399124373#step:2:100)
  The tool package could not be restored.
[101](https://github.com/ben-manes/caffeine/actions/runs/3279477252/jobs/5399124373#step:2:101)
  Tool 'microsoft.cst.devskim.cli' failed to install. This failure may have been caused by:
[102](https://github.com/ben-manes/caffeine/actions/runs/3279477252/jobs/5399124373#step:2:102)
  
[103](https://github.com/ben-manes/caffeine/actions/runs/3279477252/jobs/5399124373#step:2:103)
  * You are attempting to install a preview release and did not use the --version option to specify the version.
[104](https://github.com/ben-manes/caffeine/actions/runs/3279477252/jobs/5399124373#step:2:104)
  * A package by this name was found, but it was not a .NET tool.
[105](https://github.com/ben-manes/caffeine/actions/runs/3279477252/jobs/5399124373#step:2:105)
  * The required NuGet feed cannot be accessed, perhaps because of an Internet connection problem.
[106](https://github.com/ben-manes/caffeine/actions/runs/3279477252/jobs/5399124373#step:2:106)
  * You mistyped the name of the tool.
[107](https://github.com/ben-manes/caffeine/actions/runs/3279477252/jobs/5399124373#step:2:107)
  
[108](https://github.com/ben-manes/caffeine/actions/runs/3279477252/jobs/5399124373#step:2:108)
  For more reasons, including package naming enforcement, visit https://aka.ms/failure-installing-tool
[109](https://github.com/ben-manes/caffeine/actions/runs/3279477252/jobs/5399124373#step:2:109)
  The command '/bin/sh -c dotnet tool install --tool-path /tools Microsoft.CST.DevSkim.Cli' returned a non-zero code: 1
[110](https://github.com/ben-manes/caffeine/actions/runs/3279477252/jobs/5399124373#step:2:110)
  
[111](https://github.com/ben-manes/caffeine/actions/runs/3279477252/jobs/5399124373#step:2:112)
Error: Docker build failed with exit code 1

files are not displayed properly on github

for example: https://github.com/chipitsine/haproxy/security/code-scanning/23?query=ref%3Arefs%2Fheads%2Fmaster

I guess it might be because of "workspace" in path. shouldn't it be removed ?

sarif results are not displayed under "security" tab

I enabled DevSkim action: https://github.com/chipitsine/haproxy/runs/3919514372?check_suite_focus=true
scan is performed, I added sarif result to artifacts.

however, I do not see any reported issue under "security" tab.

where should I report it ?

Ignore_globs not working

Hello, so I have been testing various options for DevSkim Action and the "ignore-globs" seems to not be working, as I have been trying to ignore specific files, however, they are being tested anyway. Is there any way to fix that?

I would appreciate it!

error NU1202: Package Microsoft.CST.DevSkim.CLI 0.6.30 is not compatible with net5.0

Using the latest version of DevSkim from the marketplace. Appears there is some error at the container level with the version of .NET currently in use? This is blocking the running of the credential scanner, as it does not get past the container build step as seen below.

Would like to understand from the team:

If my understanding of the root cause is correct.
What the ETA could be for a possible fix.

Main error
error NU1202: Package Microsoft.CST.DevSkim.CLI 0.6.30 is not compatible with net5.0 (.NETCoreApp,Version=v5.0) / any.

Full logs

2022-10-19T13:38:56.1474333Z ##[group]Build container for action use: '/home/runner/work/_actions/microsoft/DevSkim-Action/v1/Dockerfile'.
2022-10-19T13:38:56.1546159Z ##[command]/usr/bin/docker build -t 8d5581:3e1307436a9040f584f24b9b70bf9ed8 -f "/home/runner/work/_actions/microsoft/DevSkim-Action/v1/Dockerfile" "/home/runner/work/_actions/microsoft/DevSkim-Action/v1"
2022-10-19T13:38:59.8229167Z Sending build context to Docker daemon  15.36kB
2022-10-19T13:38:59.8230417Z 
2022-10-19T13:38:59.8675939Z Step 1/6 : FROM mcr.microsoft.com/dotnet/sdk:5.0
2022-10-19T13:39:00.0103722Z 5.0: Pulling from dotnet/sdk
2022-10-19T13:39:00.0517866Z c1ad9731b2c7: Pulling fs layer
... ugreg REDACTED this line, redundant pulling, checksum and download messages
2022-10-19T13:39:11.4445762Z 5fdeb3a38fe8: Pull complete
2022-10-19T13:39:12.0050784Z d395fb0767b4: Pull complete
2022-10-19T13:39:12.0168144Z Digest: sha256:3ff465d940de3e2c727794d92fd7bb649c498d4abd91bc9213ea7831ebf01f1e
2022-10-19T13:39:12.0189908Z Status: Downloaded newer image for mcr.microsoft.com/dotnet/sdk:5.0
2022-10-19T13:39:12.0214633Z  ---> 9fec788bd1f9
2022-10-19T13:39:12.0216753Z Step 2/6 : RUN mkdir /tools
2022-10-19T13:39:12.0603980Z  ---> Running in 84fe85f5fa45
2022-10-19T13:39:13.0600997Z Removing intermediate container 84fe85f5fa45
2022-10-19T13:39:13.0601823Z  ---> 6ff498ad6abb
2022-10-19T13:39:13.0602441Z Step 3/6 : RUN dotnet tool install --tool-path /tools Microsoft.CST.DevSkim.Cli
2022-10-19T13:39:13.0913160Z  ---> Running in c98636eb89c9
2022-10-19T13:39:15.5122045Z error NU1202: Package Microsoft.CST.DevSkim.CLI 0.6.30 is not compatible with net5.0 (.NETCoreApp,Version=v5.0) / any. Package Microsoft.CST.DevSkim.CLI 0.6.30 supports: net6.0 (.NETCoreApp,Version=v6.0) / any
2022-10-19T13:39:15.5664737Z �[91mThe tool package could not be restored.
2022-10-19T13:39:15.5665497Z Tool 'microsoft.cst.devskim.cli' failed to install. This failure may have been caused by:
2022-10-19T13:39:15.5667394Z 
2022-10-19T13:39:15.5668640Z * You are attempting to install a preview release and did not use the --version option to specify the version.
2022-10-19T13:39:15.5669254Z * A package by this name was found, but it was not a .NET tool.
2022-10-19T13:39:15.5670037Z * The required NuGet feed cannot be accessed, perhaps because of an Internet connection problem.
2022-10-19T13:39:15.5670556Z * You mistyped the name of the tool.
2022-10-19T13:39:15.5670806Z 
2022-10-19T13:39:15.5671133Z For more reasons, including package naming enforcement, visit https://aka.ms/failure-installing-tool
2022-10-19T13:39:15.7004363Z The command '/bin/sh -c dotnet tool install --tool-path /tools Microsoft.CST.DevSkim.Cli' returned a non-zero code: 1
2022-10-19T13:39:15.7004743Z �[0m
2022-10-19T13:39:15.7031316Z ##[warning]Docker build failed with exit code 1, back off 4.447 seconds before retry.
2022-10-19T13:39:20.1482621Z ##[command]/usr/bin/docker build -t 8d5581:3e1307436a9040f584f24b9b70bf9ed8 -f "/home/runner/work/_actions/microsoft/DevSkim-Action/v1/Dockerfile" "/home/runner/work/_actions/microsoft/DevSkim-Action/v1"
2022-10-19T13:39:20.1724357Z Sending build context to Docker daemon  15.36kB
2022-10-19T13:39:20.1725407Z 
2022-10-19T13:39:20.2150291Z Step 1/6 : FROM mcr.microsoft.com/dotnet/sdk:5.0
2022-10-19T13:39:20.2156462Z  ---> 9fec788bd1f9
2022-10-19T13:39:20.2157067Z Step 2/6 : RUN mkdir /tools
2022-10-19T13:39:20.2227429Z  ---> Using cache
2022-10-19T13:39:20.2231264Z  ---> 6ff498ad6abb
2022-10-19T13:39:20.2232251Z Step 3/6 : RUN dotnet tool install --tool-path /tools Microsoft.CST.DevSkim.Cli
2022-10-19T13:39:20.2500754Z  ---> Running in 97ff5607382d
2022-10-19T13:39:22.6238381Z error NU1202: Package Microsoft.CST.DevSkim.CLI 0.6.30 is not compatible with net5.0 (.NETCoreApp,Version=v5.0) / any. Package Microsoft.CST.DevSkim.CLI 0.6.30 supports: net6.0 (.NETCoreApp,Version=v6.0) / any
2022-10-19T13:39:22.6741674Z �[91mThe tool package could not be restored.
2022-10-19T13:39:22.6742248Z Tool 'microsoft.cst.devskim.cli' failed to install. This failure may have been caused by:
2022-10-19T13:39:22.6742498Z 
2022-10-19T13:39:22.6742711Z * You are attempting to install a preview release and did not use the --version option to specify the version.
2022-10-19T13:39:22.6743255Z * A package by this name was found, but it was not a .NET tool.
2022-10-19T13:39:22.6743610Z * The required NuGet feed cannot be accessed, perhaps because of an Internet connection problem.
2022-10-19T13:39:22.6743936Z * You mistyped the name of the tool.
2022-10-19T13:39:22.6744087Z 
2022-10-19T13:39:22.6744569Z For more reasons, including package naming enforcement, visit https://aka.ms/failure-installing-tool
2022-10-19T13:39:22.8116855Z The command '/bin/sh -c dotnet tool install --tool-path /tools Microsoft.CST.DevSkim.Cli' returned a non-zero code: 1
2022-10-19T13:39:22.8147421Z �[0m
2022-10-19T13:39:22.8149351Z ##[warning]Docker build failed with exit code 1, back off 4.102 seconds before retry.
2022-10-19T13:39:26.9156793Z ##[command]/usr/bin/docker build -t 8d5581:3e1307436a9040f584f24b9b70bf9ed8 -f "/home/runner/work/_actions/microsoft/DevSkim-Action/v1/Dockerfile" "/home/runner/work/_actions/microsoft/DevSkim-Action/v1"
2022-10-19T13:39:26.9381933Z Sending build context to Docker daemon  15.36kB
2022-10-19T13:39:26.9384742Z 
2022-10-19T13:39:26.9816405Z Step 1/6 : FROM mcr.microsoft.com/dotnet/sdk:5.0
2022-10-19T13:39:26.9820016Z  ---> 9fec788bd1f9
2022-10-19T13:39:26.9820655Z Step 2/6 : RUN mkdir /tools
2022-10-19T13:39:26.9843774Z  ---> Using cache
2022-10-19T13:39:26.9844447Z  ---> 6ff498ad6abb
2022-10-19T13:39:26.9845645Z Step 3/6 : RUN dotnet tool install --tool-path /tools Microsoft.CST.DevSkim.Cli
2022-10-19T13:39:27.0330548Z  ---> Running in 4714cc515152
2022-10-19T13:39:29.3897211Z error NU1202: Package Microsoft.CST.DevSkim.CLI 0.6.30 is not compatible with net5.0 (.NETCoreApp,Version=v5.0) / any. Package Microsoft.CST.DevSkim.CLI 0.6.30 supports: net6.0 (.NETCoreApp,Version=v6.0) / any
2022-10-19T13:39:29.4428787Z �[91mThe tool package could not be restored.
2022-10-19T13:39:29.4429236Z Tool 'microsoft.cst.devskim.cli' failed to install. This failure may have been caused by:
2022-10-19T13:39:29.4429494Z 
2022-10-19T13:39:29.4429948Z * You are attempting to install a preview release and did not use the --version option to specify the version.
2022-10-19T13:39:29.4430390Z * A package by this name was found, but it was not a .NET tool.
2022-10-19T13:39:29.4430792Z * The required NuGet feed cannot be accessed, perhaps because of an Internet connection problem.
2022-10-19T13:39:29.4431149Z * You mistyped the name of the tool.
2022-10-19T13:39:29.4431312Z 
2022-10-19T13:39:29.4431568Z For more reasons, including package naming enforcement, visit https://aka.ms/failure-installing-tool
2022-10-19T13:39:29.5822355Z The command '/bin/sh -c dotnet tool install --tool-path /tools Microsoft.CST.DevSkim.Cli' returned a non-zero code: 1
2022-10-19T13:39:29.5858154Z �[0m
2022-10-19T13:39:29.5859499Z ##[endgroup]
2022-10-19T13:39:29.5974320Z ##[error]Docker build failed with exit code 1
2022-10-19T13:39:29.6134258Z Uploading runner diagnostic logs
2022-10-19T13:39:29.6772247Z Completed runner diagnostic log upload
2022-10-19T13:39:29.6772498Z Cleaning up orphan processes

is it possible to provide a link to rule (within github report) ?

current report looks like that

is it possible to make "DS440000" a link to corresponding rule description ?

btw, thanks @gfs, reports are much better now.

Question (options-json + custom rules)

Hello. We are trying to integrate the DevSkim Action into our code scanning procedure and I was trying to test options-json for Github-Action (there was an example where language-rule matrix was specified in the documentation). However, the flows fails during the upload of results (not sure what it is related to; please, see screenshot attached).

I would like to ask what exactly options-json allows us to do? And is it possible to set up our custom rules for the DevSkim-Action?
And if so, how would that process look like.