This GitHub action can be used to push source code, binaries, and scan results to an SRM instance from within a GitHub workflow; source and binaries are automatically scanned by SRM using its built-in analysis tools.
Comma-separated globs are used to select source/binary files and scan-result files.
The Action can optionally wait for analysis completion, writing the final status of the analysis to logs.
The workflow will be set to fail if:
- The source/binaries glob(s) fail to match any files
- There are any errors when contacting your SRM server
- The analysis ends in failure
- A deployed, licensed instance of SRM (any license)
- Access from GitHub to SRM via HTTP, or via HTTPS with a recognizable certificate (use the
ca-certparam if not using a public CA) - A Project in SRM to store results
- An API Key or Personal Access Token with "Create" permissions for the Project
| Input Name | Description | Default Value | Required |
|---|---|---|---|
server-url |
The URL for the SRM server (typically ends with /srm) |
Yes | |
api-key |
An API Key or Personal Access Token to use when connecting to SRM | Yes | |
project-id |
The ID of a project (an integer) created in SRM | undefined |
Yes1 |
project-name |
The name of a project created in SRM | undefined |
Yes1 |
base-branch-name |
The parent branch name of a project created in SRM | undefined |
No2 |
target-branch-name |
The target branch name of a project created in SRM. SRM automatically creates the branch if it does not exist yet in the project, and the new branch will be created from base-branch-name |
undefined |
No |
source-and-binaries-glob |
A comma-separated-list of file globs matching source and binary files to be packaged and sent to SRM | undefined |
No |
tool-outputs-glob |
A comma-separated list of file globs matching tool output/scan result files | undefined |
No |
wait-for-completion |
Whether to wait for the analysis to complete before exiting | false |
No |
ca-cert |
A custom CA cert to use for HTTPS connections to SRM | undefined |
No |
dry-run |
Whether to submit an analysis (false/undefined) or only test the connection and credentials (true) | undefined |
No |
Notes
- Either
project-idorproject-nameis required. An error will be thrown if neither is specified or both are specified. base-branch-nameis required iftarget-branch-nameis specified and doesn't exist yet in the project.
on: [push]
jobs:
codedx-analyze:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: SRM Upload
uses: 'codedx/[email protected]'
with:
server-url: ${{ secrets.CDX_SERVER_URL }}
api-key: ${{ secrets.CDX_API_KEY }}
project-id: ${{ secrets.CDX_PROJECT_ID }}
source-and-binaries-glob: './**'
wait-for-completion: false