Add OSSAR workflow for static analysis#79
Conversation
This workflow implements the GitHub action for OSSAR that will support the current static analysis toolchain by integrating the Microsoft Security DevOps CLI with additional open-source security analysis tools.
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
2 similar comments
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
JMG3000
left a comment
JMG3000
left a comment
There was a problem hiding this comment.
Review
All changes have been reviewed and approved based on the risk assessed.
Status:
Approved
There was a problem hiding this comment.
Pull request overview
Adds a new GitHub Actions workflow to run OSSAR static analysis and upload SARIF results to GitHub’s Security tab via code scanning.
Changes:
- Introduces an
OSSARworkflow triggered on pushes, PRs, and a weekly cron schedule. - Runs
github/ossar-actiononwindows-latestand uploads results viaupload-sarif.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
For supply-chain hardening, consider pinning actions/checkout to a full commit SHA instead of the mutable @v4 tag, and use Dependabot (github-actions ecosystem) to keep it updated.
| uses: actions/checkout@v4 | |
| uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.7 |
## Review: Manually update 5 annotations for soon to be depreciated actions. Status: Approved
Update OSSAR workflow to use Node.js 24 and new actions
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Run open-source static analysis tools | ||
| - name: Run OSSAR | ||
| uses: github/ossar-action@v2 | ||
| id: ossar |
There was a problem hiding this comment.
The PR description mentions integrating the Microsoft Security DevOps CLI in this workflow, but the workflow only runs github/ossar-action and uploads its SARIF. Either update the workflow to include the intended Microsoft Security DevOps step(s), or adjust the PR description to match what’s actually being added here.
There was a problem hiding this comment.
Review
All changes have been reviewed and approved based on the risk assessed.
Status:
Approved
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback
| pull_request: | ||
| branches: [ "master" ] |
There was a problem hiding this comment.
Running SARIF upload on the pull_request event will fail (or be skipped) for PRs coming from forks because GITHUB_TOKEN is read-only in that context and can’t write security-events. Consider removing the pull_request trigger, or switching to a safer pattern (e.g., pull_request_target with careful checkout of the PR head SHA and no untrusted code execution with elevated permissions) depending on whether you need PR annotations.
| pull_request: | |
| branches: [ "master" ] |
## Review All changes have been reviewed and approved based on the risk assessed. ## Status: Approved Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
@copilot open a new pull request to apply changes based on the comments in this thread |
…quest trigger Co-authored-by: JMG3000 <105582814+JMG3000@users.noreply.github.com> Agent-Logs-Url: https://github.com/codingUnited/MokseWebsite/sessions/21d1b28d-71d5-4b71-8986-fc3007c9aaff
Fix OSSAR workflow: restore valid YAML, add MSDO integration, drop pull_request trigger
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Ensure a compatible version of dotnet is installed. | ||
| # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. | ||
| # A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action. | ||
| # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. | ||
| # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: | ||
| # - name: Install .NET | ||
| # uses: actions/setup-dotnet@v4 | ||
| # with: | ||
| # dotnet-version: '3.1.x' | ||
|
|
||
| # Run Microsoft Security DevOps CLI | ||
| - name: Run Microsoft Security DevOps | ||
| uses: microsoft/security-devops-action@08976cb623803b1b36d7112d4ff9f59eae704de0 # v1.12.0 |
There was a problem hiding this comment.
The .NET guidance comments here reference the deprecated “Microsoft Security Code Analysis CLI” and require .NET Core 3.1.x (EOL). This looks unrelated to the current microsoft/security-devops-action usage and could mislead future maintainers. Please update/remove this block to reflect the actual runtime requirements of the MSDO action (and, if .NET is truly required, install a currently supported version rather than 3.1.x).
| # Ensure a compatible version of dotnet is installed. | |
| # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. | |
| # A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action. | |
| # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. | |
| # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: | |
| # - name: Install .NET | |
| # uses: actions/setup-dotnet@v4 | |
| # with: | |
| # dotnet-version: '3.1.x' | |
| # Run Microsoft Security DevOps CLI | |
| - name: Run Microsoft Security DevOps | |
| uses: microsoft/security-devops-action@08976cb623803b1b36d7112d4ff9f59eae704de0 # v1.12.0 | |
| # Microsoft Security DevOps (`microsoft/security-devops-action`) runs on GitHub-hosted runners | |
| # without requiring the deprecated Microsoft Security Code Analysis CLI or .NET Core 3.1.x. | |
| # If you are using self-hosted runners, refer to the MSDO action documentation for any | |
| # current runtime requirements and install only supported .NET versions if needed: | |
| # https://github.com/microsoft/security-devops-action | |
| # Run Microsoft Security DevOps CLI | |
| - name: Run Microsoft Security DevOps | |
| uses: microsoft/security-devops-action@08976cb623803b1b36d7112d4ff9f59eae704de0 # v1.12.0 | |
| # Run Microsoft Security DevOps CLI | |
| - name: Run Microsoft Security DevOps | |
| uses: microsoft/security-devops-action@08976cb623803b1b36d7112d4ff9f59eae704de0 # v1.12.0 |
| env: | ||
| # Opt-in early to Node.js 24 for all JavaScript-based actions | ||
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true | ||
|
|
There was a problem hiding this comment.
Setting FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true opts all JavaScript-based actions in this job into Node 24, which can break actions that haven’t declared compatibility yet. Unless you specifically need this early opt-in, consider removing it or scoping the change to only the actions that require it.
| env: | |
| # Opt-in early to Node.js 24 for all JavaScript-based actions | |
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true |
ReviewI will manually alter the base branch to the Mokse 59: Creat-a-dev-test-branch. All changes have been reviewed and approved based on the risk assessed. Status:Approved |
JMG3000
changed the base branch from
master
to
MOKSE-59-Create-a-dev-test-branch
|
@copilot review this PR |
… outdated .NET comments Agent-Logs-Url: https://github.com/codingUnited/MokseWebsite/sessions/2db2da9b-075e-44b7-a13e-fa8eda2a1833 Co-authored-by: JMG3000 <105582814+JMG3000@users.noreply.github.com>
Here's my review of the current PR state (commit Overall: ✅ Looks good with two issues addressed in this revision. Changes made in this review pass:
Current workflow status:
|
ReviewAll changes have been reviewed and not approved based on the timeline and effectiveness after the current update changes. Status:Not Approved |
Review:
This workflow implements the GitHub action for OSSAR that will support the current static analysis toolchain by integrating the Microsoft Security DevOps CLI with additional open-source security analysis tools.
Status:
Approved