-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcoverity-simple.yml
64 lines (57 loc) · 2.77 KB
/
coverity-simple.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
name: Coverity with Self-Hosted Runner
on:
push:
branches: [ master, main ]
pull_request:
branches: [ master, main ]
jobs:
build:
runs-on: [self-hosted]
env:
COVERITY_CHECKERS: --webapp-security
COVERITY_URL: ${{ secrets.COVERITY_URL }}
COV_USER: ${{ secrets.COVERITY_USER }}
COVERITY_PASSPHRASE: ${{ secrets.COVERITY_PASSPHRASE }}
steps:
- uses: actions/checkout@v2
- name: Coverity Scan (Full analysis)
if: ${{ github.event_name != 'pull_request' }}
shell: bash
run: |
export COVERITY_STREAM_NAME=${GITHUB_REPOSITORY##*/}-${GITHUB_REF##*/}
cov-capture --dir idir --project-dir .
cov-analyze --dir idir --strip-path `pwd` $COVERITY_CHECKERS
cov-commit-defects --dir idir --ticker-mode none --url ${{ secrets.COVERITY_URL }} --on-new-cert trust --stream \
$COVERITY_STREAM_NAME --scm git --description "GitHub Workflow $GITHUB_WORKFLOW for $GITHUB_REPO" --version $GITHUB_SHA
cov-format-errors --dir idir --json-output-v7 coverity-results.json
- name: Get Pull Request Changeset
if: ${{ github.event_name == 'pull_request' }}
id: changeset
uses: jitterbit/get-changed-files@v1
- name: Coverity Scan (Incremental analysis)
if: ${{github.event_name == 'pull_request'}}
run: |
export COVERITY_STREAM_NAME=${GITHUB_REPOSITORY##*/}-${{ github.base_ref }}
for changed_file in ${{ steps.changeset.outputs.added_modified }}; do
echo ${changed_file} >> coverity-files-to-scan.txt
echo "Scan changed file ${changed_file}."
done
cov-capture --dir idir --project-dir .
cov-run-desktop --dir idir --strip-path `pwd` --url ${{ secrets.COVERITY_URL }} --stream $COVERITY_STREAM_NAME --present-in-reference false \
--ignore-uncapturable-inputs true \
--json-output-v7 coverity-results.json \
$COVERITY_CHECKERS \
${{ steps.changeset.outputs.added_modified }}
- name: Coverity Pull Request Feedback
uses: synopsys-sig/[email protected]
with:
# The following parameters are REQUIRED
json-file-path: ./coverity-results.json
github-token: ${{ secrets.GITHUB_TOKEN }}
# If the following optional parameters are specified, the results from the JSON output will be
# compared to the baseline issues in the specified project, and only NEW issues will be reported
# in the pull request.
coverity-url: ${{ secrets.COVERITY_URL }}
coverity-project-name: ${{ github.event.repository.name }}
coverity-username: ${{ secrets.COV_USER }}
coverity-password: ${{ secrets.COVERITY_PASSPHRASE }}