Uses Coverity's v7 JSON output to provide comments on Pull Requests about code quality issues.
Note: This action does not run Coverity command line tools. It is purely a way to expose Coverity output within GitHub.
Note: This action does not yet support the Cloud Native Coverity thin client, with analysis performed in the cloud. Please use this action with the traditional local analysis workflow.
Receive review feedback on your changes, including everything you need to understand and fix critial security weaknesses.
When issues have been resolved, they will be verified by subsequent analysis and the comment updated to reflect their status.
To start using this action, add the following step to your existing GitHub workflow.
- name: Parse Coverity JSON
uses: synopsys-sig/coverity-report-output-v7-json@<version>
with:
json-file-path: $COVERITY_OUTPUT_PATH
github-token: ${{ secrets.GITHUB_TOKEN }}
Replace <version>
with the version of the action you would like to use. You can find the latest version at the top of this README!
Set the parameter json-file-path
to the path where the Coverity v7 JSON output can be found. This is the file generated using the following command:
cov-format-errors --dir <intermediate dir> --json-output-v7 coverity-results.json
Coevrity has many deployment options, and how you use it will depend on your environment and project source code. The following provides a simple example of how Coverity could be used within a GitHub workflow in conjunction with this action. This example uses a self-hosted runner with Coverity tools pre-installed.
This workflow does the following:
cov-manage-im
to ensure the project and stream are configured on the Coverity server. Without this step, a project and stream must be created manually. By including this step, you can easily on-board new projects into Coverity with no manual intervention. This must be run with credenials that have permission to manage projects and streams.cov-capture
, cov-analyze
to create Coverity results. With those results, it runs cov-format-errors
to generate the JSON file for this action to consume. This is the section that will vary the most from environment to environment. For example, your project may require a build capture instead of automatic capture. Or, you may use the Coverity CLI. You may also use cov-run-desktop, as it can generate the same JSON output.name: Coverity with Self-Hosted Runner
on:
push:
branches: [ master, main ]
pull_request:
branches: [ master, main ]
jobs:
build:
runs-on: [self-hosted]
env:
COVERITY_CHECKERS: --webapp-security
COVERITY_URL: ${{ secrets.COVERITY_URL }}
COV_USER: ${{ secrets.COVERITY_USER }}
COVERITY_PASSPHRASE: ${{ secrets.COVERITY_PASSPHRASE }}
steps:
- uses: actions/checkout@v2
- name: Coverity Scan (Full analysis)
if: ${{ github.event_name != 'pull_request' }}
shell: bash
run: |
export COVERITY_STREAM_NAME=${GITHUB_REPOSITORY##*/}-${GITHUB_REF##*/}
cov-capture --dir idir --project-dir .
cov-analyze --dir idir --strip-path `pwd` $COVERITY_CHECKERS
cov-commit-defects --dir idir --ticker-mode none --url ${{ secrets.COVERITY_URL }} --on-new-cert trust --stream \
$COVERITY_STREAM_NAME --scm git --description "GitHub Workflow $GITHUB_WORKFLOW for $GITHUB_REPO" --version $GITHUB_SHA
cov-format-errors --dir idir --json-output-v7 coverity-results.json
- name: Get Pull Request Changeset
if: ${{ github.event_name == 'pull_request' }}
id: changeset
uses: jitterbit/get-changed-files@v1
- name: Coverity Scan (Incremental analysis)
if: ${{github.event_name == 'pull_request'}}
run: |
export COVERITY_STREAM_NAME=${GITHUB_REPOSITORY##*/}-${{ github.base_ref }}
for changed_file in ${{ steps.changeset.outputs.added_modified }}; do
echo ${changed_file} >> coverity-files-to-scan.txt
echo "Scan changed file ${changed_file}."
done
cov-capture --dir idir --project-dir .
cov-run-desktop --dir idir --strip-path `pwd` --url ${{ secrets.COVERITY_URL }} --stream $COVERITY_STREAM_NAME --present-in-reference false \
--ignore-uncapturable-inputs true \
--json-output-v7 coverity-results.json \
$COVERITY_CHECKERS \
${{ steps.changeset.outputs.added_modified }}
- name: Coverity Pull Request Feedback
uses: synopsys-sig/coverity-report-output-v7-json@v0.1.0
with:
# The following parameters are REQUIRED
json-file-path: ./coverity-results.json
github-token: ${{ secrets.GITHUB_TOKEN }}
# If the following optional parameters are specified, the results from the JSON output will be
# compared to the baseline issues in the specified project, and only NEW issues will be reported
# in the pull request.
coverity-url: ${{ secrets.COVERITY_URL }}
coverity-project-name: ${{ github.event.repository.name }}
coverity-username: ${{ secrets.COV_USER }}
coverity-password: ${{ secrets.COVERITY_PASSPHRASE }}
To include one or more root CA certificates, set NODE_EXTRA_CA_CERTS
to the certificate file-path(s) in the environment.
Notes:
Example:
- name: Coverity Report
uses: synopsys-sig/coverity-report-output-v7-json@v0.0.1
env:
NODE_EXTRA_CA_CERTS: ${{ secrets.LOCAL_CA_CERT_PATH }}
with:
. . .