diff --git a/.github/workflows/pysa.yml b/.github/workflows/pysa.yml index e4dfe96..178b69a 100644 --- a/.github/workflows/pysa.yml +++ b/.github/workflows/pysa.yml @@ -1,170 +1,51 @@ -name: Pysa Action -author: Meta -description: Analyze data flows and detect security and privacy issues in Python code -branding: - icon: 'search' - color: 'orange' - -inputs: - repo-directory: - description: Path to the python source code you want to analyze. If you want to analyze the root of your repo, use './' - required: true - requirements-path: - description: Path to requirements file, relative to `repo-directory`, to look for dependencies. Default will look for requirements.txt in the root of repo-directory - required: false - default: "requirements.txt" - use-nightly: - description: Use nightly (unstable) version of Pysa - required: false - type: boolean - default: false - pysa-version: - description: Version of pyre-check package to be used - required: false - default: 'latest' - infer-types: - description: Runs pyre infer in-place to add type annotations. Note that this will change your source code during analysis - required: false - type: boolean - default: false - # SAPP Inputs - sapp-version: - description: Version of fb-sapp package to be used - required: false - default: 'latest' - sapp-filters-directory: - description: Path to your custom SAPP filters - required: false - include-default-sapp-filters: - description: Use SAPP filters packaged with Pysa - required: false - default: true - type: boolean - use-poetry: - description: Use poetry to install dependencies - required: false - default: false - type: boolean - -runs: - using: "composite" - steps: - - name: Set up Python - uses: actions/setup-python@v4 - with: - python-version: '>=3.6' - - - name: Validate repo-directory path - run: | - if [ ! -d "$REPO_DIR" ] || [ -ne "$(ls -A "$REPO_DIR")" ]; then - echo "Repository path $REPO_DIR must exist and cannot be empty" - exit 1 - fi - shell: bash - env: - # https://github.com/actions/runner/issues/665 - REPO_DIR: ${{inputs.repo-directory}} - - - name: Install Pysa - # https://github.com/actions/runner/issues/1483 - run: | - if [ "$USE_NIGHTLY" != 'false' ]; then - pip install pyre-check-nightly - elif [ "$PYSA_VERSION" = "latest" ]; then - pip install pyre-check - else - pip install pyre-check=="$PYSA_VERSION" - fi - shell: bash - env: - PYSA_VERSION: ${{inputs.pysa-version}} - USE_NIGHTLY: ${{inputs.use-nightly}} - - - name: Install dependencies - working-directory: ${{inputs.repo-directory}} - run: | - if [ "$USE_POETRY" = true ]; then - pip install poetry - poetry install --no-root - else - if [ "$REQUIREMENTS_PATH" != '' ] && [ -f "$REQUIREMENTS_PATH" ]; then - pip install -r ${{inputs.requirements-path}} - else - echo "Path $REPO_DIR/$REQUIREMENTS_PATH does not exist" - exit 1 - fi - fi - shell: bash - env: - REQUIREMENTS_PATH: ${{inputs.requirements-path}} - REPO_DIR: ${{inputs.repo-directory}} - USE_POETRY: ${{inputs.use-poetry}} - - - name: Prepare SAPP filters directory - run: | - filters_path='tmp/sapp_filters' - mkdir -p $filters_path - - if [ "$FILTERS_DIR" != '' ]; then - echo 'Copying custom sapp filters to temporary directory' - cp -r "$FILTERS_DIR"/* $filters_path - fi - - if [ "$INCLUDE_DEFAULT_SAPP_FILTERS" == 'true' ]; then - echo 'Copying default sapp filters to temporary directory' - cp -r ${{env.LD_LIBRARY_PATH}}/pyre_check/pysa_filters/* $filters_path - fi - - if ! [[ "$(ls -A "$filters_path")" ]]; then - echo 'Using neither custom sapp filters or default sapp filters' - echo '{ - "name": "Pass through filter", - "description": "Shows all issues", - "paths": ["%"] - }' > $filters_path/empty_filter.json - fi - - echo "SAPP_FILTERS_PATH=$filters_path" >> $GITHUB_ENV - shell: bash - env: - FILTERS_DIR: ${{inputs.sapp-filters-directory}} - INCLUDE_DEFAULT_SAPP_FILTERS: ${{inputs.include-default-sapp-filters}} - - - name: Set up Pyre - working-directory: ${{inputs.repo-directory}} - run: | - if [ ! -f .pyre_configuration ]; then - echo '{ - "source_directories": ["."], - "taint_models_path": "${{env.LD_LIBRARY_PATH}}" - }' > .pyre_configuration - fi - shell: bash - - - name: Run Pyre Infer - working-directory: ${{inputs.repo-directory}} - if: ${{inputs.infer-types == 'true'}} - run: | - pyre infer - pyre infer -i --annotate-from-existing-stubs - shell: bash - - - name: Run Pysa - working-directory: ${{inputs.repo-directory}} - run: | - pyre analyze --no-verify --save-results-to=./pysa-output - shell: bash - - - name: Saving Pysa results for SAPP - uses: actions/upload-artifact@v3 - with: - name: pysa-results - path: ${{inputs.repo-directory}}/pysa-output - if-no-files-found: error - - - name: Postprocess Pysa results with SAPP - uses: facebook/sapp-action@main - with: - version: ${{inputs.sapp-version}} - artifact-handle: pysa-results - filters-directory: ${{env.SAPP_FILTERS_PATH}} +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Python Static Analyzer (Pysa) with +# GitHub's Code Scanning feature. +# +# Python Static Analyzer (Pysa) is a security-focused static +# analysis tool that tracks flows of data from where they +# originate to where they terminate in a dangerous location. +# +# See https://pyre-check.org/docs/pysa-basics/ + +name: Pysa + +on: + workflow_dispatch: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '18 12 * * 5' + +permissions: + contents: read + +jobs: + pysa: + permissions: + actions: read + contents: read + security-events: write + + runs-on: windows-latest + steps: + - uses: actions/checkout@v4 + with: + submodules: true + python-version: '3.11' + + - name: Run Pysa + uses: facebook/pysa-action@f46a63777e59268613bd6e2ff4e29f144ca9e88b + with: + # To customize these inputs: + # See https://github.com/facebook/pysa-action#inputs + repo-directory: './' + requirements-path: 'requirements.txt' + infer-types: true + include-default-sapp-filters: true