Skip to content

[actions] Add binskim as static code analysis tools to identify security vulnerabilities in build system #6

[actions] Add binskim as static code analysis tools to identify security vulnerabilities in build system

[actions] Add binskim as static code analysis tools to identify security vulnerabilities in build system #6

Workflow file for this run

name: BinSkim
on:
pull_request:
branches:
- master
push:
jobs:
binskim:
if: github.repository_owner == 'sonic-net'
runs-on: windows-latest
steps:
- uses: actions/checkout@v2
- name: download
run: |
$URL="https://artprodcus3.artifacts.visualstudio.com/Af91412a5-a906-4990-9d7c-f697b81fc04d/be1b070f-be15-4154-aade-b1d3bfb17054/_apis/artifact/cGlwZWxpbmVhcnRpZmFjdDovL21zc29uaWMvcHJvamVjdElkL2JlMWIwNzBmLWJlMTUtNDE1NC1hYWRlLWIxZDNiZmIxNzA1NC9idWlsZElkLzMyNzk1MS9hcnRpZmFjdE5hbWUvc29uaWMtYnVpbGRpbWFnZS5icm9hZGNvbQ2/content?format=file&subPath=%2Ftarget%2Fsonic-broadcom.bin"
Invoke-WebRequest -Uri $URL -OutFile sonic-broadcom.bin
- uses: actions/setup-dotnet@v1
with:
dotnet-version: '6.0.x'
#- name: submodule
# run: |
# git -c submodule.src/sonic-genl-packet.update=none -c submodule.src/sonic-gnmi.update=none submodule update --init
- name: Run OSSAR
uses: github/ossar-action@v1
id: ossar
env:
GDN_BANDIT_TARGET: '${{ github.workspace }}\src'
GDN_BANDIT_RECURSIVE: true
- name: Upload results to Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.ossar.outputs.sarifFile }}