Conversation
WalkthroughA new GitHub Actions workflow has been introduced to integrate OSSAR static code analysis into the repository's continuous integration pipeline. The workflow executes on pushes to main, pull requests targeting main, and on a scheduled cadence every three days. It performs OSSAR analysis and uploads the resulting SARIF security report artefacts. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 3 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Tip Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR adds an OSSAR (Open Source Static Analysis Runner) workflow to run security scanning on the codebase. However, OSSAR is deprecated by GitHub and primarily designed for .NET/C# projects, making it unsuitable for this Python project which already has comprehensive security scanning through CodeQL and Bandit.
Changes:
- Adds a new GitHub Actions workflow file for OSSAR security scanning
- Configures the workflow to run on push, pull requests, and scheduled intervals
- Sets up Windows runner with proper permissions for security event uploads
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # This workflow uses actions that are not certified by GitHub. | ||
| # They are provided by a third-party and are governed by | ||
| # separate terms of service, privacy policy, and support | ||
| # documentation. | ||
|
|
||
| # This workflow integrates a collection of open source static analysis tools | ||
| # with GitHub code scanning. For documentation, or to provide feedback, visit | ||
| # https://github.com/github/ossar-action | ||
| name: OSSAR | ||
|
|
||
| on: | ||
| push: | ||
| branches: [ "main" ] | ||
| pull_request: | ||
| # The branches below must be a subset of the branches above | ||
| branches: [ "main" ] | ||
| schedule: | ||
| - cron: '0 0 * * */3' | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| OSSAR-Scan: | ||
| # OSSAR runs on windows-latest. | ||
| # ubuntu-latest and macos-latest support coming soon | ||
| permissions: | ||
| contents: read # for actions/checkout to fetch code | ||
| security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | ||
| actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | ||
| runs-on: windows-latest | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| # Ensure a compatible version of dotnet is installed. | ||
| # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. | ||
| # A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action. | ||
| # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. | ||
| # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: | ||
| # - name: Install .NET | ||
| # uses: actions/setup-dotnet@v4 | ||
| # with: | ||
| # dotnet-version: '3.1.x' | ||
|
|
||
| # Run open source static analysis tools | ||
| - name: Run OSSAR | ||
| uses: github/ossar-action@v1 | ||
| id: ossar | ||
|
|
||
| # Upload results to the Security tab | ||
| - name: Upload OSSAR results | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
| with: | ||
| sarif_file: ${{ steps.ossar.outputs.sarifFile }} |
There was a problem hiding this comment.
OSSAR (Open Source Static Analysis Runner) is primarily designed for .NET/C# projects and requires Windows runners. This is a Python project (cloudstile - a Cloudflare Turnstile library) that already has comprehensive static analysis coverage through CodeQL and Bandit workflows.
OSSAR may provide limited value for this Python codebase since:
- It's optimized for .NET static analysis tools
- The repository already has CodeQL (line 68 uses github/codeql-action/init@v3) which provides excellent multi-language support including Python
- The repository already has Bandit (line 34 in bandit.yml) which is Python-specific security scanning
Consider whether adding OSSAR provides sufficient value to justify maintaining another security workflow, or if the existing CodeQL and Bandit workflows provide adequate coverage.
| # This workflow uses actions that are not certified by GitHub. | |
| # They are provided by a third-party and are governed by | |
| # separate terms of service, privacy policy, and support | |
| # documentation. | |
| # This workflow integrates a collection of open source static analysis tools | |
| # with GitHub code scanning. For documentation, or to provide feedback, visit | |
| # https://github.com/github/ossar-action | |
| name: OSSAR | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| pull_request: | |
| # The branches below must be a subset of the branches above | |
| branches: [ "main" ] | |
| schedule: | |
| - cron: '0 0 * * */3' | |
| permissions: | |
| contents: read | |
| jobs: | |
| OSSAR-Scan: | |
| # OSSAR runs on windows-latest. | |
| # ubuntu-latest and macos-latest support coming soon | |
| permissions: | |
| contents: read # for actions/checkout to fetch code | |
| security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
| actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | |
| runs-on: windows-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| # Ensure a compatible version of dotnet is installed. | |
| # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. | |
| # A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action. | |
| # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. | |
| # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: | |
| # - name: Install .NET | |
| # uses: actions/setup-dotnet@v4 | |
| # with: | |
| # dotnet-version: '3.1.x' | |
| # Run open source static analysis tools | |
| - name: Run OSSAR | |
| uses: github/ossar-action@v1 | |
| id: ossar | |
| # Upload results to the Security tab | |
| - name: Upload OSSAR results | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: ${{ steps.ossar.outputs.sarifFile }} | |
| # Deprecated workflow (OSSAR) removed. | |
| # This repository is a Python project and already uses CodeQL and Bandit | |
| # for static analysis and security scanning. | |
| # | |
| # The previous OSSAR-based workflow was designed primarily for .NET on | |
| # Windows runners and provided limited additional value, so it has been | |
| # intentionally disabled/removed. |
| # Run open source static analysis tools | ||
| - name: Run OSSAR | ||
| uses: github/ossar-action@v1 | ||
| id: ossar | ||
|
|
||
| # Upload results to the Security tab | ||
| - name: Upload OSSAR results | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
| with: | ||
| sarif_file: ${{ steps.ossar.outputs.sarifFile }} |
There was a problem hiding this comment.
The OSSAR action is using version v1 (github/ossar-action@v1). According to the official OSSAR repository, this action has been deprecated and archived by GitHub. The repository states that OSSAR is no longer maintained and recommends using other tools like CodeQL for security analysis.
Since this is a deprecated action, it should not be added to the workflow. The repository already has CodeQL configured which provides comprehensive security analysis for Python code.
| # Run open source static analysis tools | |
| - name: Run OSSAR | |
| uses: github/ossar-action@v1 | |
| id: ossar | |
| # Upload results to the Security tab | |
| - name: Upload OSSAR results | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: ${{ steps.ossar.outputs.sarifFile }} |
| # The branches below must be a subset of the branches above | ||
| branches: [ "main" ] | ||
| schedule: | ||
| - cron: '0 0 * * */3' |
There was a problem hiding this comment.
The cron schedule syntax is invalid. The expression '0 0 * * */3' attempts to use a step value in the day-of-week field (5th position), but this would mean "every 3rd day of the week" which isn't a valid cron expression and will likely fail or behave unexpectedly.
If the intention is to run every 3 days, the correct syntax should be '0 0 */3 * *' (every 3 days at midnight). If the intention is to run on specific days of the week, use explicit values like '0 0 * * 0,3,6' for Sunday, Wednesday, and Saturday.
Note: Other workflows in this repository use valid cron expressions like '18 12 * * 3' (CodeQL) and '30 22 * * 3' (Bandit) which run weekly on Wednesdays.
| - cron: '0 0 * * */3' | |
| - cron: '0 0 */3 * *' |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (2)
.github/workflows/ossar.yml (2)
34-56: Consider pinning actions to full commit SHAs instead of mutable tags.Tags like
@v1,@v4, and@v3can be moved to point at different commits. Pinning to a full SHA (e.g.actions/checkout@<sha>) with a version comment guards against tag-hijacking supply-chain attacks. This is recommended by GitHub's own security hardening guide.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/ossar.yml around lines 34 - 56, Replace mutable action tags with pinned commit SHAs: update uses: actions/checkout@v4, uses: github/ossar-action@v1, and uses: github/codeql-action/upload-sarif@v3 to use the corresponding full commit SHAs (e.g., actions/checkout@<sha>) and add a short inline comment indicating the released tag/version you pinned from; ensure this change is applied to the "Checkout repository", "Run OSSAR" and "Upload OSSAR results" steps so the workflow references immutable commits instead of `@v`* tags.
17-18: Cron schedule may not match the intended cadence.
0 0 * * */3fires on days-of-week 0, 3, and 6 (Sunday, Wednesday, Saturday) — that's three times a week with gaps of 1–2 days, not "every three days." If the intent is roughly every 72 hours, a simpler approximation is twice a week or a fixed set of days, since cron cannot express "every N calendar days." If the current behaviour is acceptable, no change needed.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/ossar.yml around lines 17 - 18, The cron expression uses the day-of-week field (`*/3` in the fifth position) instead of the day-of-month field, so it currently runs on Sun/Wed/Sat; replace the schedule value to match the intended cadence: if you want "every 3 calendar days" use '0 0 */3 * *' (every 3rd day of month), or if you want specific weekdays use '0 0 * * 0,3,6' (Sun/Wed/Sat), and update the schedule line in the OSSAR workflow accordingly.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/ossar.yml:
- Around line 48-50: Update the OSSAR GitHub Action usage to the v2 release to
get Node.js 20: replace the uses reference "github/ossar-action@v1" with
"github/ossar-action@v2" (or "github/ossar-action@v2.0.0") in the workflow step
named "Run OSSAR" (the step using the ossar action with id "ossar") so the
action runs on Node.js 20 instead of the deprecated Node.js 12 runtime.
---
Nitpick comments:
In @.github/workflows/ossar.yml:
- Around line 34-56: Replace mutable action tags with pinned commit SHAs: update
uses: actions/checkout@v4, uses: github/ossar-action@v1, and uses:
github/codeql-action/upload-sarif@v3 to use the corresponding full commit SHAs
(e.g., actions/checkout@<sha>) and add a short inline comment indicating the
released tag/version you pinned from; ensure this change is applied to the
"Checkout repository", "Run OSSAR" and "Upload OSSAR results" steps so the
workflow references immutable commits instead of `@v`* tags.
- Around line 17-18: The cron expression uses the day-of-week field (`*/3` in
the fifth position) instead of the day-of-month field, so it currently runs on
Sun/Wed/Sat; replace the schedule value to match the intended cadence: if you
want "every 3 calendar days" use '0 0 */3 * *' (every 3rd day of month), or if
you want specific weekdays use '0 0 * * 0,3,6' (Sun/Wed/Sat), and update the
schedule line in the OSSAR workflow accordingly.
| - name: Run OSSAR | ||
| uses: github/ossar-action@v1 | ||
| id: ossar |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
github ossar-action repository status archived 2024 2025
💡 Result:
As of February 17, 2026, the github/ossar-action repository is not archived (it does not show GitHub’s “This repository was archived…” read-only banner, and it is still presented as a normal public repo). [1]
A third-party tracker page for the same repo also lists it as “Maintained.” [2]
Sources: [1] [2]
🌐 Web query:
github ossar-action deprecated .NET Core 3.1
💡 Result:
github/ossar-action isn’t “deprecated because it uses .NET Core 3.1” — the old OSSAR tag (@v1) is outdated because it runs on the deprecated Node.js 12 runtime (runs: using: node12).[1]
Fix: update your workflow to use github/ossar-action@v2.0.0 (or @v2), which runs on Node.js 20.[2]
Also note: OSSAR runs the Microsoft Security DevOps CLI, which requires .NET 6+ on the runner (per the OSSAR README), not .NET Core 3.1.[3] Separately, .NET Core 3.1 itself has been out of support since December 13, 2022.[4]
Sources
[1] https://raw.githubusercontent.com/github/ossar-action/v1/action.yml
[2] https://raw.githubusercontent.com/github/ossar-action/v2.0.0/action.yml
[3] https://raw.githubusercontent.com/github/ossar-action/main/README.md
[4] https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core
🌐 Web query:
microsoft security code analysis CLI .NET Core 3.1 end of support
💡 Result:
- .NET Core 3.1 is out of support: Microsoft ended support for .NET Core 3.1 on December 13, 2022 (no more servicing/security updates or technical support). Any CLI built on
netcoreapp3.1is therefore running on an unsupported runtime unless it has been rebuilt for a supported .NET version. [1], [2] - Microsoft Security Code Analysis (MSCA) was retired: Microsoft announced the MSCA extension would be retired effective March 1, 2022 (no further upgrades/enhancements; supported only until that date). [3]
Implication: If you’re referring to the MSCA CLI that targets .NET Core 3.1, it’s effectively in a double end-of-support state: the MSCA tooling was retired (2022-03-01) and the underlying runtime is EOL (2022-12-13). [1], [2], [3]
Sources
[1] .NET support policy / lifecycle table (shows .NET Core 3.1 end of support: 2022-12-13): https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core
[2] .NET Blog announcement: “.NET Core 3.1 will reach End of Support on December 13, 2022”: https://devblogs.microsoft.com/dotnet/net-core-3-1-will-reach-end-of-support-on-december-13-2022/
[3] Microsoft “Security Code Analysis” post (March 2021 update: retired March 1, 2022): https://devblogs.microsoft.com/premier-developer/microsoft-security-code-analysis/
Upgrade to github/ossar-action@v2 to use Node.js 20 runtime.
The @v1 tag uses deprecated Node.js 12, which may cause failures on newer GitHub Actions runners. Update to github/ossar-action@v2.0.0 (or @v2), which runs on Node.js 20.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/ossar.yml around lines 48 - 50, Update the OSSAR GitHub
Action usage to the v2 release to get Node.js 20: replace the uses reference
"github/ossar-action@v1" with "github/ossar-action@v2" (or
"github/ossar-action@v2.0.0") in the workflow step named "Run OSSAR" (the step
using the ossar action with id "ossar") so the action runs on Node.js 20 instead
of the deprecated Node.js 12 runtime.
|
OSSAR will not be implemented due to it being EoL. |
Summary by CodeRabbit
Release Notes