Skip to content
Security Analysis vua DevSkim

🌍 POEditor Locale Update - 2026-02-11 (#7982) #1705

Sign in to view logs

🌍 POEditor Locale Update - 2026-02-11 (#7982)

🌍 POEditor Locale Update - 2026-02-11 (#7982) #1705

Workflow file for this run

.github/workflows/security-devskim.yml at 31c229a
name: 'Security Analysis vua DevSkim'
on:
push:
branches: [ "master", "develop" ]
paths:
- '**/*.php'
- '**/*.js'
- '**/*.ts'
- '**/*.json'
- '**/*.yml'
- '**/*.yaml'
- '**/*.sql'
pull_request:
branches: [ "master" ]
paths:
- '**/*.php'
- '**/*.js'
- '**/*.ts'
- '**/*.json'
- '**/*.yml'
- '**/*.yaml'
- '**/*.sql'
schedule:
# Run weekly on Mondays at 6:00 AM UTC
- cron: '0 6 * * 1'
workflow_dispatch:
# Allow manual triggering for immediate security scans
inputs:
scan_severity:
description: 'Minimum severity level to report'
required: false
type: choice
options:
- 'low'
- 'medium'
- 'high'
- 'critical'
default: 'medium'
fail_on_error:
description: 'Fail the workflow if security issues are found'
required: false
type: boolean
default: false
jobs:
security-scan:
name: 'Security Analysis with DevSkim'
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
pull-requests: write # For PR comments
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
# Fetch full history for better analysis
fetch-depth: 0
- name: Cache DevSkim rules
uses: actions/cache@v4
with:
path: ~/.devskim
key: devskim-rules-${{ runner.os }}-${{ hashFiles('**/*.json') }}
restore-keys: |
devskim-rules-${{ runner.os }}-
- name: Setup .NET 6.0
uses: actions/setup-dotnet@v3
with:
dotnet-version: '6.0.x'
- name: Install DevSkim CLI manually
run: |
echo "📥 Installing DevSkim CLI manually..."
# Try different installation methods
if dotnet tool install --global Microsoft.CST.DevSkim.Cli --version 0.7.104; then
echo "✅ DevSkim CLI installed successfully via dotnet tool"
elif dotnet tool install --global Microsoft.CST.DevSkim.Cli; then
echo "✅ DevSkim CLI installed successfully (latest version)"
else
echo "❌ Failed to install DevSkim CLI via dotnet tool"
echo "🔄 Trying alternative installation method..."
# Download and install manually
wget -q https://github.com/Microsoft/DevSkim/releases/download/v0.7.104/devskim-linux-x64.zip -O devskim.zip
unzip -q devskim.zip -d devskim-cli
chmod +x devskim-cli/devskim
sudo mv devskim-cli/devskim /usr/local/bin/devskim
echo "✅ DevSkim CLI installed manually"
fi
# Verify installation
if command -v devskim >/dev/null 2>&1; then
echo "✅ DevSkim CLI is available"
devskim --version
else
echo "❌ DevSkim CLI installation failed"
exit 1
fi
- name: Run DevSkim security scanner
id: devskim
run: |
echo "🔍 Running DevSkim security analysis..."
# Create output directory
mkdir -p devskim-output
# Run DevSkim with custom configuration
if [ -f ".devskim.json" ]; then
echo "Using custom DevSkim configuration"
devskim analyze . --output-file devskim-results.sarif --output-text-format sarif --severity-threshold ${{ inputs.scan_severity || 'medium' }} --config-file .devskim.json
else
echo "Using default DevSkim configuration"
devskim analyze . --output-file devskim-results.sarif --output-text-format sarif --severity-threshold ${{ inputs.scan_severity || 'medium' }}
fi
echo "✅ DevSkim analysis completed"
continue-on-error: true
- name: Check DevSkim results
id: check-results
run: |
if [ -f "devskim-results.sarif" ]; then
# Count issues by severity
issues=$(jq '.runs[0].results | length' devskim-results.sarif 2>/dev/null || echo "0")
echo "issues_found=$issues" >> $GITHUB_OUTPUT
if [ "$issues" -gt 0 ]; then
echo "🚨 DevSkim found $issues security issues"
# Extract summary
jq -r '.runs[0].results[] | "- \(.level // "unknown"): \(.message.text)"' devskim-results.sarif | head -10
if [ "$issues" -gt 10 ]; then
echo "... and $((issues - 10)) more issues"
fi
else
echo "✅ No security issues found"
fi
else
echo "❌ DevSkim results file not found"
echo "issues_found=0" >> $GITHUB_OUTPUT
fi
- name: Upload DevSkim scan results to GitHub Security tab
if: always() && hashFiles('devskim-results.sarif') != ''
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: devskim-results.sarif
category: 'devskim'
# Wait for processing to ensure alerts are properly reconciled
wait-for-processing: true
- name: Create security summary
if: always()
run: |
echo "## 🛡️ DevSkim Security Analysis Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [ -f "devskim-results.sarif" ]; then
issues=${{ steps.check-results.outputs.issues_found }}
if [ "$issues" -eq 0 ]; then
echo "✅ **No security issues detected**" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Your code passed all DevSkim security checks!" >> $GITHUB_STEP_SUMMARY
else
echo "🚨 **$issues security issues found**" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Please review the issues in the **Security** tab of this repository." >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Summary of Issues:" >> $GITHUB_STEP_SUMMARY
# Add issue summary to step summary
jq -r '.runs[0].results[] | "- **\(.level // "unknown" | ascii_upcase)**: \(.message.text) in `\(.locations[0].physicalLocation.artifactLocation.uri // "unknown")`"' devskim-results.sarif | head -5 >> $GITHUB_STEP_SUMMARY
if [ "$issues" -gt 5 ]; then
echo "- ... and $((issues - 5)) more issues" >> $GITHUB_STEP_SUMMARY
fi
fi
else
echo "❌ **Scan failed or no results file generated**" >> $GITHUB_STEP_SUMMARY
fi
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Scan details:**" >> $GITHUB_STEP_SUMMARY
echo "- Trigger: ${{ github.event_name }}" >> $GITHUB_STEP_SUMMARY
echo "- Severity threshold: ${{ inputs.scan_severity || 'medium' }}" >> $GITHUB_STEP_SUMMARY
echo "- Branch: ${{ github.ref_name }}" >> $GITHUB_STEP_SUMMARY
- name: Fail on security issues (if configured)
if: inputs.fail_on_error == true && steps.check-results.outputs.issues_found != '0'
run: |
echo "❌ Failing workflow due to security issues found and fail_on_error=true"
exit 1
- name: Archive security results
if: always() && hashFiles('devskim-results.sarif') != ''
uses: actions/upload-artifact@v4
with:
name: devskim-security-results
path: devskim-results.sarif
retention-days: 30