GitHub Actions based repository scanning workflows with a primary goal of evaluating C & C++ repositories for risks.

Current scans being performed:

• clang's scan-build: Detect common C & C++ bugs using static source analysis. More details on how to integrate this scan into your CI using GitHub Actions.
• clang-tidy cognitive complexity: Calculate readability score for every function. More details on how to integrate this scan into your CI using GitHub Actions.
• OSSF Scorecard: Measure software development practices.
• CLoC: Calculate lines of code & comments.
• BinAbsInspector: Detect common C & C++ bugs using static binary analysis with Ghidra & Z3.
• Infer: Infer checks for null pointer dereferences, memory leaks, coding conventions and unavailable API’s in C & C++ code.

Scans run monthly and results are automatically published at https://intel.github.io/srs

MIT

The repository can be forked and the existing scans replaced or new ones added. All you need to add is a GitHub PAT to secrets with the name GHPAT.

1. Create a workflow YAML file under .github/workflows/my-new-scan.yml with the following required inputs:

on:
  workflow_call:
    inputs:
      repo:
        description: 'repo'
        required: true
        default: ''
        type: string
      rate-limit:
        description: 'rate limit GitHub API requests'
        required: false
        default: 150
        type: number

For steps you can define whatever is needed to perform the scan as you would with a workflow. Use Upload-Artifact Action to store the results of the scan with a key that uniquely identifies the repo and the scan, for example some-repo.my-new-scan.results.zip). It is advisable to check the GitHub API rate limit and sleep if there are fewer then 150 calls remaining for your token.

2. Add call to the new workflow in .github/workflows/srs.yml:

on:
  workflow_dispatch:
    inputs:
      ...
      my-new-scan:
        description: 'Run my-new-scan workflow'
        required: false
        type: number
        default: 0
  ...
  jobs:
    ...   
    my-new-scan:
      if: inputs.my-new-scan == 1
      needs: matrix
      secrets: inherit
      strategy:
        matrix: ${{fromJson(needs.matrix.outputs.matrix)}}
        fail-fast: false # don't stop other jobs if one fails
      uses: ./.github/workflows/my-new-scan.yml
      with:
        repo: ${{ matrix.repo }}

3. Add the new scan to the next job's needs list:

next:
    needs: [..., my-new-scan]

4. Add my-new-scan to the enabled workflows in query.yml:

      ...
      workflows:
        description: 'List of workflows to enable (CSV)'
        required: false
        type: string
        default: '...,my-new-scan'
      ...

5. Add the scan's result file (for example my-new-scan.results.zip) to the aggregate function in query/summary.sh.

    for f in $(find $ARTIFACT_DIR -type f -name '*.my-new-scan.results.zip'); do
        cp $f $ARTIFACT_DIR/aggregate-results/ || :
    done

Results will saved and published on GitHub Pages as part of the next scan.