From aa770f8f88ef3f60be2715d1023ddde8b88d07db Mon Sep 17 00:00:00 2001 From: Felipe Torrezan <201077479+felipe-iar@users.noreply.github.com> Date: Sat, 14 Jun 2025 08:48:13 +0200 Subject: [PATCH 1/4] ci: add SCA to the workflow example --- .github/workflows/ci.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index af214e4..7962556 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,9 +20,23 @@ jobs: steps: - name: Checkout project uses: actions/checkout@v4 + - name: CMake - Configure working-directory: tutorial run: cmake -GNinja -Bbuild + - name: CMake - Build working-directory: tutorial run: cmake --build build --verbose + + - name: IAR C-STAT Static Analysis + working-directory: tutorial + run: | + ichecks --all --output build/checks.manifest + icstat --checks build/checks.manifest --db build/cstat.db --sarif_dir build -- iccarm tutorial.c + + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: build/tutorial.c.sarif + category: cstat-analysis From 79aa2e78ffb4271ff9f4e252e22fa90d7596e13b Mon Sep 17 00:00:00 2001 From: Felipe Torrezan <201077479+felipe-iar@users.noreply.github.com> Date: Sat, 14 Jun 2025 08:50:01 +0200 Subject: [PATCH 2/4] Add icstat analyze command --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7962556..c37cac6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -33,7 +33,7 @@ jobs: working-directory: tutorial run: | ichecks --all --output build/checks.manifest - icstat --checks build/checks.manifest --db build/cstat.db --sarif_dir build -- iccarm tutorial.c + icstat --checks build/checks.manifest --db build/cstat.db --sarif_dir build analyze -- iccarm tutorial.c - name: Upload SARIF uses: github/codeql-action/upload-sarif@v3 From 6061d72653d7af3d478864ab4dbc2598c893fd53 Mon Sep 17 00:00:00 2001 From: Felipe Torrezan <201077479+felipe-iar@users.noreply.github.com> Date: Sat, 14 Jun 2025 08:51:54 +0200 Subject: [PATCH 3/4] Set fine-grained permissions for CodeQL --- .github/workflows/ci.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c37cac6..e300c4e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,6 +17,11 @@ jobs: name: Build tutorial runs-on: ubuntu-24.04 container: ghcr.io/iarsystems/arm + permissions: + security-events: write + actions: read + contents: read + packages: read steps: - name: Checkout project uses: actions/checkout@v4 From 67b2c7e4b7b9bb6c71b39394a18a88b5576ced28 Mon Sep 17 00:00:00 2001 From: Felipe Torrezan <201077479+felipe-iar@users.noreply.github.com> Date: Sat, 14 Jun 2025 08:53:47 +0200 Subject: [PATCH 4/4] Fix path to the sarif db --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e300c4e..b0f9538 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,5 +43,5 @@ jobs: - name: Upload SARIF uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: build/tutorial.c.sarif + sarif_file: tutorial/build/tutorial.c.sarif category: cstat-analysis