Skip to content
This repository has been archived by the owner on Nov 28, 2024. It is now read-only.

Commit

Permalink
Update pysa.yml
Browse files Browse the repository at this point in the history
  • Loading branch information
Nick2bad4u authored Mar 27, 2024
1 parent 5bb34a3 commit 83fa050
Showing 1 changed file with 51 additions and 170 deletions.
221 changes: 51 additions & 170 deletions .github/workflows/pysa.yml
Original file line number Diff line number Diff line change
@@ -1,170 +1,51 @@
name: Pysa Action
author: Meta
description: Analyze data flows and detect security and privacy issues in Python code
branding:
icon: 'search'
color: 'orange'

inputs:
repo-directory:
description: Path to the python source code you want to analyze. If you want to analyze the root of your repo, use './'
required: true
requirements-path:
description: Path to requirements file, relative to `repo-directory`, to look for dependencies. Default will look for requirements.txt in the root of repo-directory
required: false
default: "requirements.txt"
use-nightly:
description: Use nightly (unstable) version of Pysa
required: false
type: boolean
default: false
pysa-version:
description: Version of pyre-check package to be used
required: false
default: 'latest'
infer-types:
description: Runs pyre infer in-place to add type annotations. Note that this will change your source code during analysis
required: false
type: boolean
default: false
# SAPP Inputs
sapp-version:
description: Version of fb-sapp package to be used
required: false
default: 'latest'
sapp-filters-directory:
description: Path to your custom SAPP filters
required: false
include-default-sapp-filters:
description: Use SAPP filters packaged with Pysa
required: false
default: true
type: boolean
use-poetry:
description: Use poetry to install dependencies
required: false
default: false
type: boolean

runs:
using: "composite"
steps:
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '>=3.6'

- name: Validate repo-directory path
run: |
if [ ! -d "$REPO_DIR" ] || [ -ne "$(ls -A "$REPO_DIR")" ]; then
echo "Repository path $REPO_DIR must exist and cannot be empty"
exit 1
fi
shell: bash
env:
# https://github.com/actions/runner/issues/665
REPO_DIR: ${{inputs.repo-directory}}

- name: Install Pysa
# https://github.com/actions/runner/issues/1483
run: |
if [ "$USE_NIGHTLY" != 'false' ]; then
pip install pyre-check-nightly
elif [ "$PYSA_VERSION" = "latest" ]; then
pip install pyre-check
else
pip install pyre-check=="$PYSA_VERSION"
fi
shell: bash
env:
PYSA_VERSION: ${{inputs.pysa-version}}
USE_NIGHTLY: ${{inputs.use-nightly}}

- name: Install dependencies
working-directory: ${{inputs.repo-directory}}
run: |
if [ "$USE_POETRY" = true ]; then
pip install poetry
poetry install --no-root
else
if [ "$REQUIREMENTS_PATH" != '' ] && [ -f "$REQUIREMENTS_PATH" ]; then
pip install -r ${{inputs.requirements-path}}
else
echo "Path $REPO_DIR/$REQUIREMENTS_PATH does not exist"
exit 1
fi
fi
shell: bash
env:
REQUIREMENTS_PATH: ${{inputs.requirements-path}}
REPO_DIR: ${{inputs.repo-directory}}
USE_POETRY: ${{inputs.use-poetry}}

- name: Prepare SAPP filters directory
run: |
filters_path='tmp/sapp_filters'
mkdir -p $filters_path
if [ "$FILTERS_DIR" != '' ]; then
echo 'Copying custom sapp filters to temporary directory'
cp -r "$FILTERS_DIR"/* $filters_path
fi
if [ "$INCLUDE_DEFAULT_SAPP_FILTERS" == 'true' ]; then
echo 'Copying default sapp filters to temporary directory'
cp -r ${{env.LD_LIBRARY_PATH}}/pyre_check/pysa_filters/* $filters_path
fi
if ! [[ "$(ls -A "$filters_path")" ]]; then
echo 'Using neither custom sapp filters or default sapp filters'
echo '{
"name": "Pass through filter",
"description": "Shows all issues",
"paths": ["%"]
}' > $filters_path/empty_filter.json
fi
echo "SAPP_FILTERS_PATH=$filters_path" >> $GITHUB_ENV
shell: bash
env:
FILTERS_DIR: ${{inputs.sapp-filters-directory}}
INCLUDE_DEFAULT_SAPP_FILTERS: ${{inputs.include-default-sapp-filters}}

- name: Set up Pyre
working-directory: ${{inputs.repo-directory}}
run: |
if [ ! -f .pyre_configuration ]; then
echo '{
"source_directories": ["."],
"taint_models_path": "${{env.LD_LIBRARY_PATH}}"
}' > .pyre_configuration
fi
shell: bash

- name: Run Pyre Infer
working-directory: ${{inputs.repo-directory}}
if: ${{inputs.infer-types == 'true'}}
run: |
pyre infer
pyre infer -i --annotate-from-existing-stubs
shell: bash

- name: Run Pysa
working-directory: ${{inputs.repo-directory}}
run: |
pyre analyze --no-verify --save-results-to=./pysa-output
shell: bash

- name: Saving Pysa results for SAPP
uses: actions/upload-artifact@v3
with:
name: pysa-results
path: ${{inputs.repo-directory}}/pysa-output
if-no-files-found: error

- name: Postprocess Pysa results with SAPP
uses: facebook/sapp-action@main
with:
version: ${{inputs.sapp-version}}
artifact-handle: pysa-results
filters-directory: ${{env.SAPP_FILTERS_PATH}}
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

# This workflow integrates Python Static Analyzer (Pysa) with
# GitHub's Code Scanning feature.
#
# Python Static Analyzer (Pysa) is a security-focused static
# analysis tool that tracks flows of data from where they
# originate to where they terminate in a dangerous location.
#
# See https://pyre-check.org/docs/pysa-basics/

name: Pysa

on:
workflow_dispatch:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:
- cron: '18 12 * * 5'

permissions:
contents: read

jobs:
pysa:
permissions:
actions: read
contents: read
security-events: write

runs-on: windows-latest
steps:
- uses: actions/checkout@v4
with:
submodules: true
python-version: '3.11'

- name: Run Pysa
uses: facebook/pysa-action@f46a63777e59268613bd6e2ff4e29f144ca9e88b
with:
# To customize these inputs:
# See https://github.com/facebook/pysa-action#inputs
repo-directory: './'
requirements-path: 'requirements.txt'
infer-types: true
include-default-sapp-filters: true

0 comments on commit 83fa050

Please sign in to comment.