Skip to content

Commit a70a79a

Browse files
JarLobJarLob
authored
Create README.md
1 parent 303e353 commit a70a79a

File tree

1 file changed

+64
-0
lines changed

1 file changed

+64
-0
lines changed

README.md

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
# Security-Code-Scan Action
2+
3+
This action is designed to run as part of a workflow that builds [SecurityCodeScan](https://www.nuget.org/packages/SecurityCodeScan/) or [SecurityCodeScan.VS2017](https://www.nuget.org/packages/SecurityCodeScan.VS2017/) referencing projects.
4+
5+
It produces a GitHub compatible SARIF file for uploading to the repository 'Code scanning alerts'.
6+
7+
# Usage
8+
9+
See [action.yml](action.yml)
10+
11+
### Input Parameters
12+
13+
**sarif_directory**: _(optional)_ The output directory where SARIF files should be collected.
14+
15+
### Workflow Examples
16+
17+
The recommended way to add this action to your workflow, is with a subsequent action that uploads the prepared SARIF files to the repository 'Code scanning alerts'. The analyzed projects must be already referencing [SecurityCodeScan](https://www.nuget.org/packages/SecurityCodeScan/) or [SecurityCodeScan.VS2017](https://www.nuget.org/packages/SecurityCodeScan.VS2017/) Nuget package.
18+
For example:
19+
20+
```yaml
21+
on:
22+
push:
23+
24+
jobs:
25+
SCS:
26+
runs-on: ubuntu-latest
27+
steps:
28+
- uses: actions/checkout@v2
29+
30+
- name: Build
31+
run: |
32+
dotnet build /p:ErrorLog=analysis.sarif
33+
34+
- name: Convert sarif for uploading to GitHub
35+
uses: security-code-scan/[email protected]
36+
37+
- name: Upload sarif
38+
uses: github/codeql-action/upload-sarif@v1
39+
```
40+
41+
Another option is to add the nuget package to specific projects from the script:
42+
43+
```yaml
44+
on:
45+
push:
46+
47+
jobs:
48+
SCS:
49+
runs-on: ubuntu-latest
50+
steps:
51+
- uses: actions/checkout@v2
52+
53+
- name: Build
54+
run: |
55+
dotnet add src/SourcesFolderName/ProjectName.csproj package SecurityCodeScan.VS2017
56+
dotnet add src/SourcesFolderName2/ProjectName2.csproj package SecurityCodeScan.VS2017
57+
dotnet build /p:ErrorLog=analysis.sarif
58+
59+
- name: Convert sarif for uploading to GitHub
60+
uses: security-code-scan/[email protected]
61+
62+
- name: Upload sarif
63+
uses: github/codeql-action/upload-sarif@v1
64+
```

0 commit comments

Comments
 (0)