Xanitizer Security Analysis #64
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This workflow uses actions that are not certified by GitHub. | |
# They are provided by a third-party and are governed by | |
# separate terms of service, privacy policy, and support | |
# documentation. | |
# This workflow downloads and installs the latest version of Xanitizer, builds your project, runs a Xanitizer security analysis on it, | |
# and then archives the findings list reports and uploads the findings into the GitHub code scanning alert section of your repository. | |
# | |
# Documentation for the `RIGS-IT/xanitizer-action` is located here: https://github.com/RIGS-IT/xanitizer-action | |
# | |
# To use this basic workflow, you will need to complete the following setup steps: | |
# | |
# 1. The underlying Xanitizer, used in this workflow, needs a separate license file. | |
# Licenses are free of charge for open source projects and for educational usage. | |
# To get more information about the Xanitizer licenses and how to obtain a license file, | |
# please consult https://www.xanitizer.com/xanitizer-pricing/. | |
# | |
# 2. The content of the license file has to be stored as a GitHub secret (e.g. XANITIZER_LICENSE) on this repository. | |
# Please consult https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets for details. | |
# | |
# 3. Reference the GitHub secret in the step using the `RIGS-IT/xanitizer-action` GitHub action. | |
# Example: | |
# - name: Xanitizer Security Analysis | |
# uses: RIGS-IT/xanitizer-action@v1 | |
# with: | |
# license: ${{ secrets.XANITIZER_LICENSE }} | |
# | |
# 4. As a static application security testing (SAST) tool, | |
# Xanitizer requires that all dependencies of the artifacts being analyzed can be resolved successfully. | |
# So you have to install all used libraries and build your project before running the security analysis, | |
# e.g. via `mvn compile` for Java or `npm install` for JavaScript | |
name: "Xanitizer Security Analysis" | |
on: | |
push: | |
branches: [ "master" ] | |
pull_request: | |
# The branches below must be a subset of the branches above | |
branches: [ "master" ] | |
schedule: | |
- cron: '43 8 * * 4' | |
workflow_dispatch: | |
permissions: | |
contents: read | |
jobs: | |
xanitizer-security-analysis: | |
# Xanitizer runs on ubuntu-latest and windows-latest. | |
permissions: | |
contents: read # for actions/checkout to fetch code | |
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | |
runs-on: ubuntu-latest | |
steps: | |
# Check out the repository | |
- name: Checkout | |
uses: actions/checkout@v3 | |
# Set up the correct Java version for your project | |
# Please comment out, if your project does not contain Java source code. | |
- name: Set up JDK 11 | |
uses: actions/setup-java@v3 | |
with: | |
java-version: 11 | |
distribution: 'temurin' | |
# Compile the code for Java projects and get all libraries, e.g. via Maven | |
# Please adapt, if your project uses another build system to compile Java source code. | |
# Please comment out, if your project does not contain Java source code. | |
- name: Compile Java code | |
run: mvn -B compile | |
# Install all dependent libraries for JavaScript/TypeScript projects, e.g. via npm | |
# Please adapt to run `npm install` in the correct directories. | |
# Please adapt, if your project uses another package manager for getting JavaScript libraries. | |
# Please comment out, if your project does not use a package manager for getting JavaScript libraries. | |
- name: Install JavaScript libraries | |
run: npm install | |
# Run the security analysis with default settings | |
- name: Xanitizer Security Analysis | |
uses: RIGS-IT/xanitizer-action@87d13138fb113b727cbe040c744a15a2b4fe5316 | |
with: | |
license: ${{ secrets.XANITIZER_LICENSE }} | |
# Archiving the findings list reports | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: Xanitizer-Reports | |
path: | | |
*-Findings-List.pdf | |
*-Findings-List.sarif | |
# Uploads the findings into the GitHub code scanning alert section using the upload-sarif action | |
- uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: Xanitizer-Findings-List.sarif |