ci: add coding guideline scan workflow

nashif · nashif · commit e8ab98274fbf · 2026-05-27T09:38:17.000-04:00
Add initial workflow for scanning the code base using ECLAIR.
This is the initial step used for integration, at the moment we only
build one single application using west and enable all zephyr coding
guidelines covered by the tool.

This workflow will only run on push events only and will generate a
SARIF file with all violations that can be downloaded and evaluated
locally to help triage and fix issues.

Goal it to address some of the rules with large number of violations
first, get to a manageable number of violations and start posting those
into GH dedicated tracking backend.
Later on we will also start running this on pull requests and flag
violations introduced in PRs.

This should over time also obsolete this existing workflow:

.github/workflows/coding_guidelines.yml

Signed-off-by: Anas Nashif &lt;anas.nashif@intel.com&gt;
diff --git a/.github/workflows/coding_guidelines_full.yml b/.github/workflows/coding_guidelines_full.yml
@@ -0,0 +1,169 @@
+name: Eclair Code Scanning
+on:
+  push:
+    branches:
+      - main
+      - v*-branch
+      - collab-*
+permissions:
+  contents: read
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  coding_guideline_scan:
+    if: github.repository_owner == 'zephyrproject-rtos'
+    runs-on:
+      group: zephyr-runner-v2-linux-x64-4xlarge
+    container:
+      image: ghcr.io/zephyrproject-rtos/ci-repo-cache:v0.29.2.20260422
+      options: '--entrypoint /bin/bash'
+    permissions:
+      security-events: write
+    steps:
+      - name: Print cloud service information
+        run: |
+          echo "ZEPHYR_RUNNER_CLOUD_PROVIDER = ${ZEPHYR_RUNNER_CLOUD_PROVIDER}"
+          echo "ZEPHYR_RUNNER_CLOUD_NODE = ${ZEPHYR_RUNNER_CLOUD_NODE}"
+          echo "ZEPHYR_RUNNER_CLOUD_POD = ${ZEPHYR_RUNNER_CLOUD_POD}"
+
+      - name: Apply container owner mismatch workaround
+        run: |
+          # FIXME: The owner UID of the GITHUB_WORKSPACE directory may not
+          #        match the container user UID because of the way GitHub
+          #        Actions runner is implemented. Remove this workaround when
+          #        GitHub comes up with a fundamental fix for this problem.
+          git config --global --add safe.directory ${GITHUB_WORKSPACE}
+
+      - name: Clone cached Zephyr repository
+        continue-on-error: true
+        run: |
+          git clone --shared /repo-cache/zephyrproject/zephyr .
+          git remote set-url origin ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Environment Setup
+        run: |
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+          echo "$HOME/.cargo/bin" >> $GITHUB_PATH
+
+          west init -l . || true
+          west config manifest.group-filter -- +ci,+optional
+          west config --global update.narrow true
+          west update --path-cache /repo-cache/zephyrproject 2>&1 1> west.update.log || west update --path-cache /repo-cache/zephyrproject 2>&1 1> west.update.log || ( rm -rf ../modules ../bootloader ../tools && west update --path-cache /repo-cache/zephyrproject)
+          west forall -c 'git reset --hard HEAD'
+
+          echo "ZEPHYR_SDK_INSTALL_DIR=/opt/toolchains/zephyr-sdk-$( cat SDK_VERSION )" >> $GITHUB_ENV
+
+      - name: Check Environment
+        run: |
+          cmake --version
+          gcc --version
+          cargo --version
+          rustup target list --installed
+          ls -la
+          echo "github.ref: ${{ github.ref }}"
+          echo "github.base_ref: ${{ github.base_ref }}"
+          echo "github.ref_name: ${{ github.ref_name }}"
+
+      - name: SCA Setup
+        uses: zephyrproject-rtos/action-sca-setup@681d9f46f28d391eb57e6f15fdb76af25d6c46bc
+        with:
+          tool-name: eclair
+          tool-version: 3.15.0
+          install-dir: eclair
+          s3-access-key-id: ${{ secrets.TOOLDIST_ACCESS_KEY }}
+          s3-secret-access-key: ${{ secrets.TOOLDIST_SECRET_ACCESS_KEY }}
+          license-server: ${{ secrets.TOOLDIST_ECLAIR_LICENSE_SERVER }}
+          license-key-ttl: 480
+
+      - name: Set Up Python 3.12
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: 3.12
+          cache: pip
+          cache-dependency-path: scripts/requirements-actions.txt
+
+      - name: install-packages
+        run: |
+          pip install -r scripts/requirements-actions.txt --require-hashes
+          sudo apt-get update
+          sudo apt-get install -y jq
+
+      - name: Scan code with Eclair
+        run: |
+          #./scripts/twister -j 16 -p qemu_x86  -T samples/synchronization -i --build-only -v  \
+          #  -xZEPHYR_SCA_VARIANT=eclair \
+          #  -xUSE_CCACHE=0 \
+          #  -xECLAIR_REPORTS_SARIF=1 \
+          #  -xECLAIR_RULESET_ZEPHYR_GUIDELINES=1 \
+          #  -xECLAIR_RULESET_FIRST_ANALYSIS=0
+
+          # Initially we use west to build just one single application on one
+          # platform and address rules with large number of findings. This is
+          # to make sure we can complete the scan within the time limit of
+          # GitHub Actions and also to make sure we can get the results in
+          # SARIF format without running into any issues. Once we have that
+          # working, we can expand the scan to cover more applications and
+          # platforms and start posting findings to GitHub Security tab.
+          export ZEPHYR_BASE=${PWD}
+          west -v build -p -b qemu_x86 tests/integration/kernel/ -- \
+            -DZEPHYR_SCA_VARIANT=eclair \
+            -DUSE_CCACHE=0 \
+            -DECLAIR_REPORTS_SARIF=1 \
+            -DECLAIR_RULESET_ZEPHYR_GUIDELINES=1 \
+            -DECLAIR_RULESET_FIRST_ANALYSIS=0
+
+          cp build/sca/eclair/reports.sarif .
+          cp build/sca/eclair/DIAGNOSTIC.txt .
+
+          jq -s '{ "$schema": "https://json.schemastore.org/sarif-2.1.0", "version": "2.1.0", "runs": map(.runs) | add }'  $(find build -name "reports.sarif")  > results.sarif
+          cp results.sarif results_${GITHUB_SHA}.sarif
+          jq --arg basepath "file://${GITHUB_WORKSPACE}/" '
+            .runs[].results[] |= (
+             # Remove partialFingerprints if it exists
+             del(.partialFingerprints)
+             |
+            .locations[]? |= (
+            .physicalLocation.artifactLocation.uri
+            |= if type == "string" then ($basepath + .) else . end
+            )
+            | .relatedLocations[]? |= (
+            .physicalLocation.artifactLocation.uri
+            |= if type == "string" then ($basepath + .) else . end
+            )
+            )
+            ' results.sarif > results_tmp.sarif
+          mv results_tmp.sarif results.sarif
+
+          ver=`git describe`
+          echo "PAYLOAD_VERSION=${ver}" >> $GITHUB_ENV
+          echo "PAYLOAD_DESC=${ver}" >> $GITHUB_ENV
+      - name: Clean up
+        if: always()
+        run: |
+          eclair_licman -c 57350
+
+      - name: Upload SARIF as artifact
+        if: always() && github.event_name == 'push'
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: sarif
+          if-no-files-found: ignore
+          path: |
+            DIAGNOSTIC.txt
+            results_*.sarif
+
+      # disabled for now
+      # - name: Upload Analysis Results
+      #   if: always()
+      #   uses: github/codeql-action/upload-sarif@v4
+      #   with:
+      #     sarif_file: results.sarif
