| # This workflow uses actions that are not certified by GitHub. |
| # They are provided by a third-party and are governed by |
| # separate terms of service, privacy policy, and support |
| # documentation. |
| |
| name: flawfinder |
| |
| permissions: |
| contents: read |
| |
| on: |
| push: |
| branches: [ "develop" ] |
| pull_request: |
| # The branches below must be a subset of the branches above |
| branches: [ "develop" ] |
| schedule: |
| - cron: '41 14 * * 3' |
| |
| jobs: |
| flawfinder: |
| name: Flawfinder |
| runs-on: ubuntu-latest |
| permissions: |
| actions: read |
| contents: read |
| security-events: write |
| steps: |
| - name: Harden Runner |
| uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 |
| with: |
| egress-policy: audit |
| |
| - name: Checkout code |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 |
| |
| - name: flawfinder_scan |
| uses: david-a-wheeler/flawfinder@c57197cd6061453f10a496f30a732bc1905918d1 # v2.0.19 |
| with: |
| arguments: '--sarif ./' |
| output: 'flawfinder_results.sarif' |
| |
| - name: Upload analysis results to GitHub Security tab |
| uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4 |
| with: |
| sarif_file: ${{github.workspace}}/flawfinder_results.sarif |
