Open marian-craciunescu opened 3 years ago
Hi @marian-craciunescu,
I wanted to let you know that we collaborated with the Roslyn team who implemented a fork of this solution to create a dotnet/code-analysis action: https://github.com/dotnet/code-analysis
For the github/ossar-action, it is backed by the Microsoft Security Code Analysis CLI which does have Roslyn Analyzers available today. This is what's being leveraged by dotnet's action.
To leverage Roslyn Analyzers within OSSAR today,
guardian init
guardian configure -t roslynanalyzers
<your repo>/.gdn/e/roslynanalyzers.gdnconfig
guardian run -c roslynanalyzers
, or the the absolute path to that roslynanalyzers.gdnconfig filegithub/ossar-action
call in your workflow to specify config: roslynanalyzers
, or the path to that fileWe know this is a lot of overhead to get Roslyn to run today in w/ OSSAR. Dotnet's solution runs the same code with a better UX from a workflow itself, although with the same parameters configured in a gdnconfig file. Either way, a configuration with these values will be checked into the repository, and it will still run through the MSCA CLI.
We are also working on a feature right now to run Roslyn Analyzers automatically, which would allow it to be added to the policy. Unlike other source and artifact based static analysis tools, the difficulty of Roslyn Analyzers is that they are compile time and requiring rerunning the build with the injected analyzers. Due to the complexity, it will always be a best effort but may get added to the default GitHub policy in the near future.
Thanks, Dave
Hi @davidknise ,
Correct me if I am wrong. As per your comment, my understanding is that the OSSAR action does support the Roslyn analysers, and can be configured as per the given steps to configure the same.
While trying to configure the Roslyn analysers, I am stuck at running the guardian init
step. Can you please provide any link or reference that can help me run guardian commands? My web search has not been fruitful to proceed further. I will be grateful for any help you could provide.
Add support for https://secdevtools.azurewebsites.net/helpRoslynAnalyzers.html