How to setup a GitHub Action for Code Security analysis
Configure Github Actions in the Setting tab of the repo that needs to be scanned. Select Desired setting and save.
Now visit "Code Security and analysis in the security section of settings. You can now see that Code Scanning is available to setup.
Click "Explore Workflows" to see all available code scanning tool options
Select desired code scanning tool and edit the drafted YAML file if needed. For this example was selected:
Note: Github will attempt to sense the language that repository is using. Notice above that Github has already that easybuggy is a Java app and added that language in line #40 of the screenshot
Ensure that Github has detected the correct language for scanning and edit accordingly
Configure the push/pull branches for scanning based on your needs
Click commit changes on the right of the screen
Select "Create a new branch..." so that a new branch can be created just in case Github's autobuild feature doesn't work as intended
Click "Propose Changes" to draft the pull request and annotate any description information if needed.
Click "Create Pull Request" to start the job
Visit the Actions tab when the job is complete to see the workflow runs
Select the run and see if the build completed without issues
If the job fails, this could mean that the Autobuild process needs some adjustments for success. This happens when your application has a different/custom build outside of the standard build process. This can be corrected by configuring the correct settings in the YAML file.
Once the job completes, click into the run to see the stages of the build and analysis
Now go to Pull Requests and merge the request into master branch for results
Go to the Security tab and select code scanning to see the results of the scan
Now every time there is a pull request from the master branch, this will show if there are any issues with the code before merging
Last updated