ci: eclair: add SARIF summary step #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Coding Guidelines Scanning | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - v*-branch | |
| - collab-* | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| coding_guideline_scan: | |
| if: github.repository_owner == 'zephyrproject-rtos' | |
| runs-on: | |
| group: zephyr-runner-v2-linux-x64-4xlarge | |
| container: | |
| image: ghcr.io/zephyrproject-rtos/ci-repo-cache:v0.29.2.20260422 | |
| options: '--entrypoint /bin/bash' | |
| permissions: | |
| security-events: write | |
| steps: | |
| - name: Print cloud service information | |
| run: | | |
| echo "ZEPHYR_RUNNER_CLOUD_PROVIDER = ${ZEPHYR_RUNNER_CLOUD_PROVIDER}" | |
| echo "ZEPHYR_RUNNER_CLOUD_NODE = ${ZEPHYR_RUNNER_CLOUD_NODE}" | |
| echo "ZEPHYR_RUNNER_CLOUD_POD = ${ZEPHYR_RUNNER_CLOUD_POD}" | |
| - name: Apply container owner mismatch workaround | |
| run: | | |
| # FIXME: The owner UID of the GITHUB_WORKSPACE directory may not | |
| # match the container user UID because of the way GitHub | |
| # Actions runner is implemented. Remove this workaround when | |
| # GitHub comes up with a fundamental fix for this problem. | |
| git config --global --add safe.directory ${GITHUB_WORKSPACE} | |
| - name: Clone cached Zephyr repository | |
| continue-on-error: true | |
| run: | | |
| git clone --shared /repo-cache/zephyrproject/zephyr . | |
| git remote set-url origin ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY} | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Environment Setup | |
| run: | | |
| echo "$HOME/.local/bin" >> $GITHUB_PATH | |
| echo "$HOME/.cargo/bin" >> $GITHUB_PATH | |
| west init -l . || true | |
| west config manifest.group-filter -- +ci,+optional | |
| west config --global update.narrow true | |
| west update --path-cache /repo-cache/zephyrproject 2>&1 1> west.update.log || west update --path-cache /repo-cache/zephyrproject 2>&1 1> west.update.log || ( rm -rf ../modules ../bootloader ../tools && west update --path-cache /repo-cache/zephyrproject) | |
| west forall -c 'git reset --hard HEAD' | |
| echo "ZEPHYR_SDK_INSTALL_DIR=/opt/toolchains/zephyr-sdk-$( cat SDK_VERSION )" >> $GITHUB_ENV | |
| - name: Check Environment | |
| run: | | |
| cmake --version | |
| gcc --version | |
| cargo --version | |
| rustup target list --installed | |
| ls -la | |
| echo "github.ref: ${{ github.ref }}" | |
| echo "github.base_ref: ${{ github.base_ref }}" | |
| echo "github.ref_name: ${{ github.ref_name }}" | |
| - name: SCA Setup | |
| uses: zephyrproject-rtos/action-sca-setup@681d9f46f28d391eb57e6f15fdb76af25d6c46bc | |
| with: | |
| tool-name: eclair | |
| tool-version: 3.15.0 | |
| install-dir: eclair | |
| s3-access-key-id: ${{ secrets.TOOLDIST_ACCESS_KEY }} | |
| s3-secret-access-key: ${{ secrets.TOOLDIST_SECRET_ACCESS_KEY }} | |
| license-server: ${{ secrets.TOOLDIST_ECLAIR_LICENSE_SERVER }} | |
| license-key-ttl: 480 | |
| - name: Set Up Python 3.12 | |
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: 3.12 | |
| cache: pip | |
| cache-dependency-path: scripts/requirements-actions.txt | |
| - name: install-packages | |
| run: | | |
| pip install -r scripts/requirements-actions.txt --require-hashes | |
| sudo apt-get update | |
| sudo apt-get install -y jq | |
| - name: Scan code with Eclair | |
| run: | | |
| #./scripts/twister -j 16 -p qemu_x86 -T samples/synchronization -i --build-only -v \ | |
| # -xZEPHYR_SCA_VARIANT=eclair \ | |
| # -xUSE_CCACHE=0 \ | |
| # -xECLAIR_REPORTS_SARIF=1 \ | |
| # -xECLAIR_RULESET_ZEPHYR_GUIDELINES=1 \ | |
| # -xECLAIR_RULESET_FIRST_ANALYSIS=0 | |
| # Initially we use west to build just one single application on one | |
| # platform and address rules with large number of findings. This is | |
| # to make sure we can complete the scan within the time limit of | |
| # GitHub Actions and also to make sure we can get the results in | |
| # SARIF format without running into any issues. Once we have that | |
| # working, we can expand the scan to cover more applications and | |
| # platforms and start posting findings to GitHub Security tab. | |
| export ZEPHYR_BASE=${PWD} | |
| west -v build -p -b qemu_x86 tests/integration/kernel/ -- \ | |
| -DZEPHYR_SCA_VARIANT=eclair \ | |
| -DUSE_CCACHE=0 \ | |
| -DECLAIR_REPORTS_SARIF=1 \ | |
| -DECLAIR_RULESET_ZEPHYR_GUIDELINES=1 \ | |
| -DECLAIR_RULESET_FIRST_ANALYSIS=0 | |
| cp build/sca/eclair/reports.sarif . | |
| cp build/sca/eclair/DIAGNOSTIC.txt . | |
| jq -s '{ "$schema": "https://json.schemastore.org/sarif-2.1.0", "version": "2.1.0", "runs": map(.runs) | add }' $(find build -name "reports.sarif") > results.sarif | |
| cp results.sarif results_${GITHUB_SHA}.sarif | |
| jq --arg basepath "file://${GITHUB_WORKSPACE}/" ' | |
| .runs[].results[] |= ( | |
| # Remove partialFingerprints if it exists | |
| del(.partialFingerprints) | |
| | | |
| .locations[]? |= ( | |
| .physicalLocation.artifactLocation.uri | |
| |= if type == "string" then ($basepath + .) else . end | |
| ) | |
| | .relatedLocations[]? |= ( | |
| .physicalLocation.artifactLocation.uri | |
| |= if type == "string" then ($basepath + .) else . end | |
| ) | |
| ) | |
| ' results.sarif > results_tmp.sarif | |
| mv results_tmp.sarif results.sarif | |
| ver=`git describe` | |
| echo "PAYLOAD_VERSION=${ver}" >> $GITHUB_ENV | |
| echo "PAYLOAD_DESC=${ver}" >> $GITHUB_ENV | |
| - name: Clean up | |
| if: always() | |
| run: | | |
| eclair_licman -c 57350 | |
| - name: Upload SARIF as artifact | |
| if: always() && github.event_name == 'push' | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: sarif | |
| if-no-files-found: ignore | |
| path: | | |
| DIAGNOSTIC.txt | |
| results_*.sarif | |
| - name: Summarize SARIF results | |
| if: always() | |
| run: | | |
| python3 scripts/ci/sarif_summary.py results.sarif | |
| # disabled for now | |
| # - name: Upload Analysis Results | |
| # if: always() | |
| # uses: github/codeql-action/upload-sarif@v4 | |
| # with: | |
| # sarif_file: results.sarif |