Skip to content

Github Action which helps to run CodeScan or SonarQube jobs in Github workflow. The action may produce SARIF file with analysis results.

License

Notifications You must be signed in to change notification settings

codescan-io/codescan-scanner-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Folders and files

NameName
Last commit message
Last commit date
Jul 12, 2024
Jul 12, 2024
Jul 12, 2024
Sep 11, 2020
Sep 11, 2020
Sep 11, 2020
Sep 11, 2020
Sep 11, 2020
Sep 11, 2020
Sep 11, 2020
Jun 28, 2024
Jul 12, 2024
Sep 11, 2020
Sep 11, 2020
Jul 12, 2024
Jul 12, 2024
Sep 11, 2020

Repository files navigation

codescan-scanner-action

Run CodeScan static code analysis jobs from Github workflow. The CodeScan action produces SARIF report file with analysis results.

Input parameters for Action

Parameter name Required / Default value Description
organization required Organization Key
projectKey required Project Key
login required Security authentication key for the user having scan access for the project
codeScanUrl https://app.codescan.io/ CodeScanCloud endpoint for your project
pollingTimeoutSec 900 Timeout to wait for Post-Analysis report generation is completed (in seconds)
scanChangedFilesOnly true The flag to indicate that PR scans should only analyze added, changed or modified files in the PR.
generateReportFile true The flag to indicate that SARIF file should be generated on client side.
generateSarifFile false The flag to indicate that SARIF file should be generated on server side.
failOnRedQualityGate false The flag to indicate that pipeline will fail in case of quality gate status failed.
args Optional parameters passed to CodeScan analyzer

Example of using Action in Github Workflow

    -   name: Run Analysis
        uses: codescan-io/codescan-scanner-action@master
        with:
            login: ${{ secrets.CODESCAN_AUTH_TOKEN }}
            organization: test-org
            projectKey: test-java-project
            args: |
                sonar.verbose=true
                sonar.java.binaries=target

SARIF file output

By default the Action will generate SARIF report file on client side. You can disable this feature via generateReportFile input parameter.

SARIF report file can also generated on server side. This feature can be enabled via generateSarifFile input parameter.

As a next Workflow step you have to upload SARIF file:

    -   name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v1
        with:
            sarif_file: codescan.sarif

When SARIF file is uploaded, you can view, fix, and close alerts for potential vulnerabilities or errors in your project's code. For details read this article: Managing alerts from code scanning