1313 - ' cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c'
1414 workflow_dispatch : {}
1515
16-
1716jobs :
1817 scan-provider-agents :
1918
@@ -29,12 +28,17 @@ jobs:
2928 - dir : cvmassistants/keyprovider/key-provider-agent/src
3029 file : key_provider_agent.c
3130
31+ permissions :
32+ security-events : write
33+ contents : read
34+ actions : read
35+
3236 steps :
3337 - uses : actions/checkout@v4
3438 with :
3539 fetch-depth : 0
3640
37- - name : Install tools directly
41+ - name : Install tools
3842 run : |
3943 sudo apt-get update
4044 sudo apt-get install -y clang-format cppcheck
5155 run : |
5256 clang-format --dry-run -style=llvm --Werror ${{ matrix.provider-agent.file }}
5357
54- name : cppcheck scan ${{ matrix.provider-agent.file }}
58+ name : cppcheck scan ${{ matrix.provider-agent.file }} (SARIF)
5559 if : steps.changed.outputs.any_changed == 'true' || github.event_name == 'workflow_dispatch'
5660 working-directory : ${{ matrix.provider-agent.dir }}
57- run : | # enable all checks and suppress missing include system since RATS-TLS dependencies are not included in the repo
58- cppcheck --enable=all --suppress=missingIncludeSystem --error-exitcode=1 ${{ matrix.provider-agent.file }}
61+ run : |
62+ cppcheck --enable=all --suppress=missingIncludeSystem --xml --output-file=report.xml ${{ matrix.provider-agent.file }}
63+
64+ name : Convert cppcheck XML → SARIF
65+ if : steps.changed.outputs.any_changed == 'true' || github.event_name == 'workflow_dispatch'
66+ uses : Flast/cppcheck-sarif@v2
67+ with :
68+ input : ${{ matrix.provider-agent.dir }}/report.xml
69+ output : ${{ matrix.provider-agent.dir }}/report.sarif
70+
71+ - name : Upload SARIF to GitHub Code Scanning
72+ if : steps.changed.outputs.any_changed == 'true' || github.event_name == 'workflow_dispatch'
73+ uses : github/codeql-action/upload-sarif@v3
74+ with :
75+ sarif_file : ${{ matrix.provider-agent.dir }}/report.sarif
76+ category : cppcheck
0 commit comments