Skip to content

StaticAnalysis

StaticAnalysis #1940

name: StaticAnalysis
on:
push:
paths:
# Workflow file itself
- '.github/workflows/StaticAnalysis.yml'
# C++ files
- '**.cpp'
- '**.hpp'
# CMake files
- '**.cmake'
- '**.txt'
# Script files
- '**.sh'
# dotfiles
- '.clang-tidy'
- '.cmake-format.yaml'
branches-ignore:
- 'dependabot/**'
pull_request:
branches:
- main
- develop
release:
types: [published]
workflow_dispatch:
schedule:
- cron: '0 4 * * 1'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
CMAKE_C_COMPILER_LAUNCHER: "ccache"
CMAKE_CXX_COMPILER_LAUNCHER: "ccache"
jobs:
cppcheck:
runs-on: ubuntu-24.04
env:
LLVM_VERSION: 18
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: recursive
fetch-depth: 2
- uses: reviewdog/action-setup@v1
with:
reviewdog_version: latest
- name: Install dependencies
run: sudo scripts/ci/InstallDependencies.sh
- name: Install
env:
CPPCHECK_VERSION: "2.14.2"
run: external/Phi/scripts/ci/InstallTools.sh clang-${{ env.LLVM_VERSION }} cppcheck-${{ env.CPPCHECK_VERSION }} ninja
- name: Configure
run: |
# Create build directory
mkdir build -p
cd build
# Generate compile_commands.json
cmake .. -DCMAKE_EXPORT_COMPILE_COMMANDS:BOOL=ON
# Build glad target since it generates required files
cmake --build . --target glad
- name: Run cppcheck
run: |
# Create build directory
mkdir -p build-cppcheck
cppcheck --project=build/compile_commands.json --enable=all --inconclusive --inline-suppr --template='{file}:{line}:{column}: {severity}: {message} [{id}](CWE {cwe})' -DPHI_CONFIG_ALWAYS_INLINE_OVERWRITE=inline -DPHI_CONFIG_NEVER_INLINE_OVERWRITE="" --cppcheck-build-dir="build-cppcheck" -i external --suppress=missingInclude --suppress=unusedFunction --suppress=unmatchedSuppression --suppress=missingIncludeSystem --suppress=unknownMacro -UDLXEMU_COVERAGE_BUILD 2> cppcheck.log
# Filter out external libraries and test code
cat cppcheck.log | grep -Ev "external/|tests/" > cppcheck_filtered.log || true
- name: Print results
run: cat cppcheck_filtered.log
- name: Determine reporter
uses: haya14busa/action-cond@v1
id: reporter
with:
cond: ${{ github.event_name == 'pull_request' }}
if_true: 'github-pr-check'
if_false: 'github-check'
- name: ReviewDog check
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
cat cppcheck_filtered.log | reviewdog -efm="%f:%l:%c: %m" -diff="git diff HEAD~1" -reporter=${{ steps.reporter.outputs.value }} -name CppCheck -level warning
clang-tidy:
runs-on: ubuntu-24.04
env:
LLVM_VERSION: 18
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: recursive
fetch-depth: 2
- uses: reviewdog/action-setup@v1
with:
reviewdog_version: latest
- name: Install dependencies
run: sudo scripts/ci/InstallDependencies.sh
- name: Install
run: external/Phi/scripts/ci/InstallTools.sh clang-${{ env.LLVM_VERSION }} clang-tidy-${{ env.LLVM_VERSION }} ninja
- name: Run clang-tidy
run: |
# Create build directory
mkdir build -p
cd build
# Generate compile_commands.json
cmake .. -DCMAKE_EXPORT_COMPILE_COMMANDS:BOOL=ON
# Build glad so it generates the required files
cmake --build . --target glad --clean-first
# Run clang-tidy
run-clang-tidy-${{ env.LLVM_VERSION }} -quiet -header-filter "*" -j $(nproc) | tee clang_tidy.log
# Filter to only include warnings
cat clang_tidy.log | grep "warning:" > clang_tidy_warnings.log
# Filter out external libraries and test code
cat clang_tidy_warnings.log | grep -Ev "DLXEmu/external|DLXEmu/tests|\[clang-diagnostic-ignored-optimization-argument\]" > clang_tidy_filtered.log || true
# Remove duplicate entries
sort clang_tidy_filtered.log | uniq -d > clang_tidy_output.log
- name: Print results
run: cat build/clang_tidy_output.log
- name: Determine reporter
uses: haya14busa/action-cond@v1
id: reporter
with:
cond: ${{ github.event_name == 'pull_request' }}
if_true: 'github-pr-check'
if_false: 'github-check'
- name: ReviewDog check
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
cat build/clang_tidy_output.log | reviewdog -efm="%f:%l:%c: warning: %m" -diff="git diff HEAD~1" -reporter=${{ steps.reporter.outputs.value }} -name Clang-Tidy -level warning
include-what-you-use:
runs-on: ubuntu-24.04
env:
LLVM_VERSION: 18
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: recursive
fetch-depth: 2
- name: Setup Reviewdog
uses: reviewdog/action-setup@v1
with:
reviewdog_version: latest
- name: Install
run: external/Phi/scripts/ci/InstallTools.sh iwyu-${{ env.LLVM_VERSION }} ninja
- name: Install dependencies
run: sudo scripts/ci/InstallDependencies.sh
- name: Run Include-What-You-Use
run: |
# Create build directory
mkdir build -p
cd build
# Configure
cmake .. -DCMAKE_EXPORT_COMPILE_COMMANDS:BOOL=ON
# Run include-what-you-use
iwyu_tool.py --output-format clang --jobs $(nproc) -p . ../DLXEmu ../DLXLib -- -Xiwyu --cxx17ns | tee iwyu.log || true
# Filter out correct includes and generated code
cat iwyu.log | grep -Ev "#includes/fwd-decls are correct" | tee iwyu_filtered.log || true
- name: Print results
run: cat build/iwyu_filtered.log
- name: Determine reporter
uses: haya14busa/action-cond@v1
id: reporter
with:
cond: ${{ github.event_name == 'pull_request' }}
if_true: 'github-pr-check'
if_false: 'github-check'
- name: ReviewDog check
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
cat build/iwyu_filtered.log | reviewdog -efm="%Z%A%f:%l:%c: error: %m" -efm="%C%m" -diff="git diff HEAD~1" -reporter=${{ steps.reporter.outputs.value }} -name include-what-you-use -level warning
cmake-lint:
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: recursive
- name: Setup Reviewdog
uses: reviewdog/action-setup@v1
with:
reviewdog_version: latest
- name: Setup python
uses: actions/setup-python@v5
with:
python-version: '3.x'
- name: Install
run: external/Phi/scripts/ci/InstallTools.sh cmake-format
- name: Run cmake-lint
run: cmake-lint $(find -iregex "./.*\.cmake" -or -iregex "./.*\CMakeLists\.txt") -c ".cmake-format.yaml" --suppress-decorations --outfile-path cmake_lint.log || true
- name: Print results
run: cat cmake_lint.log
- name: Determine reporter
uses: haya14busa/action-cond@v1
id: reporter
with:
cond: ${{ github.event_name == 'pull_request' }}
if_true: 'github-pr-check'
if_false: 'github-check'
- name: ReviewDog check
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
cat cmake_lint.log | reviewdog -efm="%f:%l: %m" -diff="git diff HEAD~1" -reporter=${{ steps.reporter.outputs.value }} -name cmake-lint -level warning
code-ql:
runs-on: ubuntu-24.04
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'cpp' ]
compiler:
- 'gcc-14'
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
submodules: recursive
- name: Setup ccache
uses: hendrikmuhs/ccache-action@v1
with:
key: ${{ runner.os }}-${{ matrix.compiler }}
- name: Setup Environment
run: external/Phi/scripts/ci/SetupEnvironment.sh
- name: Install compiler
run: external/Phi/scripts/ci/InstallTools.sh ${{ matrix.compiler }} ninja
- name: Install dependencies
run: sudo scripts/ci/InstallDependencies.sh
- name: Configure build directory
run: |
mkdir build -p
cd build
cmake -DCMAKE_AR=$AR_EXECUTABLE -DCMAKE_BUILD_TYPE:STRING=Debug ..
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
# Override language selection by uncommenting this and choosing your languages
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main
- name: Build
working-directory: ./build
run: cmake --build . --config Debug
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
upload: False
output: sarif-results
- name: filter-sarif
uses: advanced-security/filter-sarif@main
with:
patterns: -**/external/** # Ignore external directory
input: sarif-results/${{ matrix.language }}.sarif
output: sarif-results/${{ matrix.language }}.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: sarif-results/${{ matrix.language }}.sarif
msvc-code-analysis:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: windows-latest
# Default windows to use bash
defaults:
run:
shell: bash
strategy:
fail-fast: false
matrix:
build_type:
- 'RelWithDebInfo'
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
submodules: recursive
- name: Setup python
uses: actions/setup-python@v5
with:
python-version: '3.x'
cache: 'pip'
- name: Install dependencies
run: pip install jinja2
- name: Configure
run: |
# Create build directory
mkdir build -p
cd build
# Configure
cmake .. -DCMAKE_EXPORT_COMPILE_COMMANDS:BOOL=ON
- name: Build
working-directory: ./build
run: cmake --build .
- name: Initialize MSVC Code Analysis
uses: microsoft/[email protected]
# Provide a unique ID to access the sarif output path
id: run-analysis
with:
cmakeBuildDirectory: '${{ github.workspace }}/build'
buildConfiguration: ${{ matrix.build_type }}
# Ruleset file that will determine what checks will be run
ruleset: NativeRecommendedRules.ruleset
- name: filter-sarif
uses: advanced-security/filter-sarif@main
with:
patterns: -**/external/** # Ignore external directory
input: ${{ steps.run-analysis.outputs.sarif }}
output: ${{ steps.run-analysis.outputs.sarif }}
# Upload SARIF file to GitHub Code Scanning Alerts
- name: Upload SARIF to GitHub
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.run-analysis.outputs.sarif }}
# Upload SARIF file as an Artifact to download and view
- name: Upload SARIF as an Artifact
uses: actions/upload-artifact@v4
with:
name: sarif-file
path: ${{ steps.run-analysis.outputs.sarif }}
dev-skim:
name: DevSkim
runs-on: ubuntu-24.04
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run DevSkim scanner
uses: microsoft/DevSkim-Action@v1
- name: Upload DevSkim scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: devskim-results.sarif
codacy-security-scan:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Codacy Security Scan
runs-on: ubuntu-24.04
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout code
uses: actions/checkout@v4
with:
submodules: recursive
# Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
- name: Run Codacy Analysis CLI
uses: codacy/codacy-analysis-cli-action@v4
with:
verbose: true
output: results.sarif
format: sarif
# Adjust severity of non-security issues
gh-code-scanning-compat: true
# Force 0 exit code to allow SARIF file generation
# This will handover control about PR rejection to the GitHub side
max-allowed-issues: 2147483647
- name: filter-sarif
uses: advanced-security/filter-sarif@main
with:
patterns: -**/external/** # Ignore external directory
input: results.sarif
output: results-filtered.sarif
# Upload the SARIF file generated in the previous step
- name: Upload SARIF results file
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results-filtered.sarif
shellcheck:
name: ShellCheck
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: recursive
- name: Determine reporter
uses: haya14busa/action-cond@v1
id: reporter
with:
cond: ${{ github.event_name == 'pull_request' }}
if_true: 'github-pr-check'
if_false: 'github-check'
- name: Run shellcheck with reviewdog
uses: reviewdog/action-shellcheck@v1
with:
github_token: ${{ secrets.github_token }}
reporter: ${{ steps.reporter.outputs.value }}
level: warning
path: "./scripts"
pattern: "*.sh"
exclude: "./.git/*"