Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/seqra/seqra-action

GitHub Action for automated security scanning
https://github.com/seqra/seqra-action

Last synced: 5 months ago
JSON representation

GitHub Action for automated security scanning

Awesome Lists containing this project

README 

          
# Seqra GitHub Action



Run [Seqra](https://github.com/seqra/seqra) static analysis in your CI, generate a SARIF report, and optionally upload it to GitHub Code Scanning.



## Usage



> **Note:** The action expects **Linux x86\_64** runners.



### Prerequisites



Seqra analyzes compiled bytecode of your project. Before running this action, ensure your CI environment is configured to compile the project. For example:



- **Java/Kotlin projects:** Set up a JDK using `actions/setup-java@v5`



### Quick Start



### Scan



```yaml

name: Seqra Analysis

on:

    workflow_dispatch



jobs:

  seqra:

    runs-on: ubuntu-latest

    steps:

      - name: Checkout your repository

        uses: actions/checkout@v6



      - name: Set up JDK

        uses: actions/setup-java@v5

        with:

          distribution: 'temurin'

          java-version: '21'



      - name: Run Seqra code analysis

        uses: seqra/seqra-action@v2

```



### Scan and upload to GitHub code scanning alerts



```yaml

name: Seqra Analysis

on:

    workflow_dispatch



# Required for Code Scanning upload

permissions:

  contents: read

  security-events: write



jobs:

  seqra:

    runs-on: ubuntu-latest

    steps:

      - name: Checkout your repository

        uses: actions/checkout@v6



      - name: Set up JDK

        uses: actions/setup-java@v5

        with:

          distribution: 'temurin'

          java-version: '21'



      - name: Run Seqra code analysis

        uses: seqra/seqra-action@v2

        with:

          upload-sarif: 'true'

          artifact-name: 'sarif'

```



### All Inputs



```yaml

name: Seqra Analysis

on:

    workflow_dispatch



# Required for Code Scanning upload

permissions:

  contents: read

  security-events: write



jobs:

  seqra:

    runs-on: ubuntu-latest

    steps:

      - name: Checkout your repository

        uses: actions/checkout@v6



      - name: Set up JDK

        uses: actions/setup-java@v5

        with:

          distribution: 'temurin'

          java-version: '21'



      - name: Run Seqra code analysis

        uses: seqra/seqra-action@v2

        with:

            # Relative path under $GITHUB_WORKSPACE to the root of the analyzed project

            project-root: '.'



            # Should seqra-action upload sarif to GitHub Code Security

            upload-sarif: 'false'



            # Tag of seqra release

            seqra-version: 'v2.3.0'



            # Paths to custom rules directories (comma-separated)

            # By default it is empty, so seqra will use builtin rules

            rules-path: 'security/myrules'



            # Name of uploaded artifact

            artifact-name: 'sarif'



            # Log level

            verbosity: 'info'



            # Scan timeout

            timeout: '15m'



            # Severity levels to report (comma-separated)

            # Valid values: note, warning, error

            severity: 'warning,error'

```



## Artifacts



After the job completes, you’ll find:



* A SARIF artifact named `sarif` (configurable) will be uploaded to the workflow run.

* If `upload-sarif: 'true'`, the SARIF is also sent to **Security → Code scanning alerts** in your repo.



## Permissions



* For **artifact upload**: default permissions are fine.

* For **Code Scanning upload**: add



  ```yaml

  permissions:

    contents: read

    security-events: write

  ```



## Troubleshooting



* **"Compilation has failed:"** Seqra needs to compile your project to analyze bytecode. Ensure you have set up the required build tools (e.g., JDK via `actions/setup-java@v5`) before running this action. See [Prerequisites](#prerequisites).

* **Monorepos:** You can analyze only the project you need using `project-root`.

* **Timeouts:** If the scan times out, increase `timeout` (e.g., `30m`).



## Changelog

See [CHANGELOG](CHANGELOG.md).



## License

This project is released under the [MIT License](LICENSE).



The [core analysis engine](https://github.com/seqra/seqra-jvm-sast) is source-available under the [Functional Source License (FSL-1.1-ALv2)](https://fsl.software/), which converts to Apache 2.0 two years after each release. You can use Seqra for free, including for commercial use, except for competing products or services.