ci: add SCA to the workflow example (#45)

felipe-iar · web-flow · commit ae305592ebe5 · 2025-06-14T08:54:51.000+02:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -17,12 +17,31 @@ jobs:
     name: Build tutorial
     runs-on: ubuntu-24.04
     container: ghcr.io/iarsystems/arm
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+      packages: read
     steps:
     - name: Checkout project
       uses: actions/checkout@v4
+
     - name: CMake - Configure
       working-directory: tutorial
       run: cmake -GNinja -Bbuild
+
     - name: CMake - Build
       working-directory: tutorial
       run: cmake --build build --verbose
+
+    - name: IAR C-STAT Static Analysis
+      working-directory: tutorial
+      run: |
+        ichecks --all --output build/checks.manifest
+        icstat --checks build/checks.manifest --db build/cstat.db --sarif_dir build analyze -- iccarm tutorial.c
+    
+    - name: Upload SARIF
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: tutorial/build/tutorial.c.sarif
+        category: cstat-analysis
