Add GitHub Actions integration

[david-a-wheeler]

It'd be great to have a GitHub Actions integration. Now that flawfinder has SARIF output, that should in theory be easy.

More info here about creating such integrations: https://docs.github.com/en/code-security/secure-coding/integrating-with-code-scanning

[david-a-wheeler]

@michaelcfanning @jhutchings1 @eddynaka @yongyan-gh - now that SARIF output is in Flawfinder, I think that adding a GitHub Actions integration should be easy. Anyone interested in doing that, since for many use cases that's the final step?

[eddynaka]

Hi @david-a-wheeler , should we create a new repo only for the action or would u like to keep it in this repo?

[david-a-wheeler]

@eddynaka - I have a mild preference to keeping in this repo. That way they can be kept in sync if necessary.

However, if that's inconvenient, a new repo is fine. The goal is to make it easy to use :-).

[josepalafox]

Here's maybe a better resource with a lot of details on how to write the action and workflow file so that we can surface it on Github.com in the UI.

https://partner.github.com/integration-resources/2021/03/09/pattern-integrating-with-code-scanning.html

The action can live in this repo but marketplace has a 1:1 mapping of repos to actions so if you anticipate the need for multiple actions to be published to marketplace they may need their own repos. I think for a scanner you'll probably only have 1 action so colocated would be great!

[david-a-wheeler]

I expect the only action to be "scan this repo". It should be possible to configure the scan, but that should be doable with environment variables and such. We don't support a configuration file, but we could add that if it's important.

[david-a-wheeler]

So, is someone volunteering to write the action & workflow file?

[eddynaka]

@yongyan-gh , can you take a look?

we have something similar: https://github.com/microsoft/sarif-actions

[yongyan-gh]

hi @david-a-wheeler,

in order to create boilerplate workflow and publish to github, we need to refill below information, can you pls review? { "name": "flawfinder", "creator": "David A. Wheeler", "description": "Flawfinder is a simple program that scans C/C++ source code and reports potential security flaws.", "iconName": "flawfinder", "categories": ["Code Scanning", "C", "C++"] }

And also a svg icon file is required to show the flawfinder workflow in security tab. Can you please share the icon file?

[david-a-wheeler]

@yongyan-gh - the JSON looks fine.

I don't think I have an svg file, but I could make one.

I just found this thing. Thoughts?: https://github.com/marketplace/actions/flawfinder-action

[eddynaka]

Hi @david-a-wheeler , I saw that but that kind of action:

1. Is owned by someone else (it's not "official")
2. It requires a GitHub PAT

With the change we are adding, we would create an official action that does not require the PAT and we would also make the changes in https://github.com/actions/starter-workflows so it would show flawfinder in the security tab as well.

Let us know if we should pursue and merge the action that we just created. Thank y ou

[david-a-wheeler]

Not requiring a GitHub PAT is a great reason to merge this work, and I"m delighted to create an official action.

[eddynaka]

Hi @david-a-wheeler , @yongyan-gh will create another PR fixing one issue with the SARIF and, once merged, we will finish the action.

[yongyan-gh]

@david-a-wheeler this is the PR fixing SARIF issue #52, please review.

[yongyan-gh]

@yongyan-gh - the JSON looks fine.

I don't think I have an svg file, but I could make one.

I just found this thing. Thoughts?: https://github.com/marketplace/actions/flawfinder-action

hi @david-a-wheeler please share the Flawfinder icon file in svg format once you create one.

[david-a-wheeler]

I've made creating an icon a separate issue, here: https://github.com/david-a-wheeler/flawfinder/issues/53

If someone has talent to do that, I'd love to know. Otherwise I'll create a "stub" & we can replace it later once someone with artistic talent does one.

[michaelcfanning]

Sounds like fun to create an icon for you. I can propose something. Tell me a little about the 'brand' or feeling you want to create in the community for your tool. :) It's C++, obviously, we find quality issues, there's a security focus. What else? :) Do you want a serious feel? Something more playful? etc.

[david-a-wheeler]

@michaelcfanning - Good questions. Please continue in issue #53 so the icon discussions will be in one place.

[josepalafox]

Is this also being published to the GitHub Marketplace?

[eddynaka]

Hi @josepalafox , we are working on it :)

[david-a-wheeler]

The starter workflow looked reasonable to me.

[eddynaka]

@david-a-wheeler , can u verify ur publish? the action we created isn't there yet.

[david-a-wheeler]

@eddynaka - what do I need to do? Yes, I'd like it published.

I'm distracted right now, but if people can give me clear pointers I'm be happy to finish the task.

[eddynaka]

@david-a-wheeler , my comment from the other thread:

Hi @david-a-wheeler , that action did not work: https://github.com/marketplace?type=&verification=&query=flawfinder+ Some references: https://docs.github.com/en/actions/creating-actions/publishing-actions-in-github-marketplace

[yongyan-gh]

@david-a-wheeler can you pls publish the action again following the steps in the link Eddy sent?

[david-a-wheeler]

Will do. I was on vacation, and then catching up from vacation.

[david-a-wheeler]

I made some further changes. I don't think it's quite working, though hopefully it's closer. Suggestions?

[david-a-wheeler]

Also: It appears that "Flawfinder" is taken, so I renamed the action "flawfinder_scan".

[yongyan-gh]

@david-a-wheeler thank you now I can see the action was published! @eddynaka I updated the PR https://github.com/actions/starter-workflows/pull/969 with the published action and version.

[david-a-wheeler]

@yongyan-gh - Good, but it didn't seem to work when I tested it. Maybe my test was wrong?

I think the README isn't quite right (e.g., flawfinder should be flawfinder_scan) & we still need to get a logo in :-).

[yongyan-gh]

@david-a-wheeler I created PR #55 to update readme.md From actions tab seems the action works.

[eddynaka]

@david-a-wheeler , just to let you know, yesterday the pr to the starter-workflow got merged. If you access https://github.com/david-a-wheeler/flawfinder/security/code-scanning/setup you will see flawfinder there :) and that would create a github workflow ready to run.

Below the image and description:

[cooljeanius]

Well, it works, insofar as it can be turned on, and then uploads its results to the "Security" tab; the results don't look very good, though:

Specifically, the "Preview unavailable" part is rather concerning and makes it difficult to see the actual flaw being found. Ref: https://github.com/cooljeanius/usbfluxd/security/code-scanning/89