Coverity is a static analysis tool that detects and generates reports on
various security and code quality issues.
It is particularly useful when diagnosing memory safety issues which may
be used as part of exploiting a security vulnerability.
Coverity's website provides a service accepts "builds" (which is more or
less the collection of '*.o' files generated during a standard build
with "make") as input and generates reports as output. In order to
generate a report, we have to first compile Git and then upload the
build archive to Coverity.
This Action generates and uploads a build archive to Coverity when a
GitHub repository has configured the "COVERITY_SCAN_EMAIL" and
"COVERITY_SCAN_TOKEN" repository secrets, respectively. This enables
Coverity to automatically report on new changes pushed to 'master', as
well as any newly created tags.
A couple of implementation notes:
- In order to successfully build 'git', we (ab-)use the
ci/install-dependencies.sh script by faking in some of the
environment variables to take on values specific to the main.yml
workflow file in order to install the correct set of dependencies.
- We could upload the build archive to Coverity directly with a
straightforward curl request. But using the vapier/coverity-scan
Action comes with some additional niceties, such as caching the
(rather large) Coverity tool download between runs.
If the repository is missing either of the two secret tokens mentioned
earlier, this Action is a no-op.
Signed-off-by: Taylor Blau <me@xxxxxxxxxxxx>
---
.github/workflows/coverity.yml | 35 ++++++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+)
create mode 100644 .github/workflows/coverity.yml
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
new file mode 100644
index 0000000000..26b9145d9e
--- /dev/null
+++ b/.github/workflows/coverity.yml
@@ -0,0 +1,35 @@
+name: Coverity
+
+on:
+ push:
+ branches:
+ - master
+ tags:
+ - '*'
+
+jobs:
+ coverity:
+ runs-on: ubuntu-latest
+ env:
+ HAVE_COVERITY_TOKEN: ${{ secrets.COVERITY_SCAN_EMAIL != '' && secrets.COVERITY_SCAN_TOKEN != '' }}
+ steps:
+ - id: check-coverity
+ name: check whether Coverity token is configured
+ run: |
+ echo "enabled=$HAVE_COVERITY_TOKEN" >>$GITHUB_OUTPUT
+ - uses: actions/checkout@v3
+ if: steps.check-coverity.outputs.enabled == 'true'
+ - run: ci/install-dependencies.sh
+ env:
+ CC: gcc
+ CC_PACKAGE: gcc-9
+ jobname: linux-gcc-default
+ runs_on_pool: ubuntu-latest
+ if: steps.check-coverity.outputs.enabled == 'true'
+ - uses: vapier/coverity-scan-action@v1
+ if: steps.check-coverity.outputs.enabled == 'true'
+ with:
+ email: ${{ secrets.COVERITY_SCAN_EMAIL }}
+ token: ${{ secrets.COVERITY_SCAN_TOKEN }}
+ command: make -j8
+
--
2.42.0.15.geed1e1a32a
