diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml new file mode 100644 index 000000000000..bfeeafb580f4 --- /dev/null +++ b/.github/workflows/scan.yml @@ -0,0 +1,51 @@ +# Scan the code in this repository; publish results to +# https://github.com/bytecodealliance/wasmtime/security/code-scanning. + +name: Code Scan + +on: + push: + branches: ["main"] + pull_request: + branches: ["main"] + schedule: + - cron: "4 3 * * 2" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze (Rust) + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + env: + CARGO_NDK_VERSION: 2.12.2 + steps: + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + submodules: true + + - uses: ./.github/actions/install-rust + + - name: Install cargo-binstall + uses: cargo-bins/cargo-binstall@3a99ae3c155195e5518c9ff954bee1b90f98b82c # v1.10.6 + + - name: Install dependencies + run: cargo binstall --no-confirm clippy-sarif sarif-fmt + + - name: Run clippy + run: | + cargo clippy --workspace --all-targets --message-format=json > clippy.json + clippy-sarif --input clippy.json --output clippy.sarif + sarif-fmt --input clippy.sarif + continue-on-error: true + + - name: Upload analysis + uses: github/codeql-action/upload-sarif@5618c9fc1e675841ca52c1c6b1304f5255a905a0 # v2.19.0 + with: + sarif_file: clippy.sarif + wait-for-processing: true