Skip to content

feat: ossar #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
NotAussie wants to merge 1 commit into from
Closed

feat: ossar #39

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions .github/workflows/ossar.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

# This workflow integrates a collection of open source static analysis tools
# with GitHub code scanning. For documentation, or to provide feedback, visit
# https://github.com/github/ossar-action
name: OSSAR

on:
push:
branches: [ "main" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "main" ]
schedule:
- cron: '0 0 * * */3'
Copy link

Copilot AI Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The cron schedule syntax is invalid. The expression '0 0 * * */3' attempts to use a step value in the day-of-week field (5th position), but this would mean "every 3rd day of the week" which isn't a valid cron expression and will likely fail or behave unexpectedly.

If the intention is to run every 3 days, the correct syntax should be '0 0 */3 * *' (every 3 days at midnight). If the intention is to run on specific days of the week, use explicit values like '0 0 * * 0,3,6' for Sunday, Wednesday, and Saturday.

Note: Other workflows in this repository use valid cron expressions like '18 12 * * 3' (CodeQL) and '30 22 * * 3' (Bandit) which run weekly on Wednesdays.

Suggested change
- cron: '0 0 * * */3'
- cron: '0 0 */3 * *'

Copilot uses AI. Check for mistakes.

permissions:
contents: read

jobs:
OSSAR-Scan:
# OSSAR runs on windows-latest.
# ubuntu-latest and macos-latest support coming soon
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: windows-latest

steps:
- name: Checkout repository
uses: actions/checkout@v4

# Ensure a compatible version of dotnet is installed.
# The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201.
# A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action.
# GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped.
# For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action:
# - name: Install .NET
# uses: actions/setup-dotnet@v4
# with:
# dotnet-version: '3.1.x'

# Run open source static analysis tools
- name: Run OSSAR
uses: github/ossar-action@v1
id: ossar
Comment on lines +48 to +50
Copy link

@coderabbitai coderabbitai bot Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

github ossar-action repository status archived 2024 2025

💡 Result:

As of February 17, 2026, the github/ossar-action repository is not archived (it does not show GitHub’s “This repository was archived…” read-only banner, and it is still presented as a normal public repo). [1]
A third-party tracker page for the same repo also lists it as “Maintained.” [2]

Sources: [1] [2]

🌐 Web query:

github ossar-action deprecated .NET Core 3.1

💡 Result:

github/ossar-action isn’t “deprecated because it uses .NET Core 3.1” — the old OSSAR tag (@v1) is outdated because it runs on the deprecated Node.js 12 runtime (runs: using: node12).[1]

Fix: update your workflow to use github/ossar-action@v2.0.0 (or @v2), which runs on Node.js 20.[2]

Also note: OSSAR runs the Microsoft Security DevOps CLI, which requires .NET 6+ on the runner (per the OSSAR README), not .NET Core 3.1.[3] Separately, .NET Core 3.1 itself has been out of support since December 13, 2022.[4]

Sources
[1] https://raw.githubusercontent.com/github/ossar-action/v1/action.yml
[2] https://raw.githubusercontent.com/github/ossar-action/v2.0.0/action.yml
[3] https://raw.githubusercontent.com/github/ossar-action/main/README.md
[4] https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core

🌐 Web query:

microsoft security code analysis CLI .NET Core 3.1 end of support

💡 Result:

  • .NET Core 3.1 is out of support: Microsoft ended support for .NET Core 3.1 on December 13, 2022 (no more servicing/security updates or technical support). Any CLI built on netcoreapp3.1 is therefore running on an unsupported runtime unless it has been rebuilt for a supported .NET version. [1], [2]
  • Microsoft Security Code Analysis (MSCA) was retired: Microsoft announced the MSCA extension would be retired effective March 1, 2022 (no further upgrades/enhancements; supported only until that date). [3]

Implication: If you’re referring to the MSCA CLI that targets .NET Core 3.1, it’s effectively in a double end-of-support state: the MSCA tooling was retired (2022-03-01) and the underlying runtime is EOL (2022-12-13). [1], [2], [3]

Sources
[1] .NET support policy / lifecycle table (shows .NET Core 3.1 end of support: 2022-12-13): https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core
[2] .NET Blog announcement: “.NET Core 3.1 will reach End of Support on December 13, 2022”: https://devblogs.microsoft.com/dotnet/net-core-3-1-will-reach-end-of-support-on-december-13-2022/
[3] Microsoft “Security Code Analysis” post (March 2021 update: retired March 1, 2022): https://devblogs.microsoft.com/premier-developer/microsoft-security-code-analysis/

Upgrade to github/ossar-action@v2 to use Node.js 20 runtime.

The @v1 tag uses deprecated Node.js 12, which may cause failures on newer GitHub Actions runners. Update to github/ossar-action@v2.0.0 (or @v2), which runs on Node.js 20.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ossar.yml around lines 48 - 50, Update the OSSAR GitHub
Action usage to the v2 release to get Node.js 20: replace the uses reference
"github/ossar-action@v1" with "github/ossar-action@v2" (or
"github/ossar-action@v2.0.0") in the workflow step named "Run OSSAR" (the step
using the ossar action with id "ossar") so the action runs on Node.js 20 instead
of the deprecated Node.js 12 runtime.


# Upload results to the Security tab
- name: Upload OSSAR results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.ossar.outputs.sarifFile }}
Comment on lines +1 to +56
Copy link

Copilot AI Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OSSAR (Open Source Static Analysis Runner) is primarily designed for .NET/C# projects and requires Windows runners. This is a Python project (cloudstile - a Cloudflare Turnstile library) that already has comprehensive static analysis coverage through CodeQL and Bandit workflows.

OSSAR may provide limited value for this Python codebase since:

  1. It's optimized for .NET static analysis tools
  2. The repository already has CodeQL (line 68 uses github/codeql-action/init@v3) which provides excellent multi-language support including Python
  3. The repository already has Bandit (line 34 in bandit.yml) which is Python-specific security scanning

Consider whether adding OSSAR provides sufficient value to justify maintaining another security workflow, or if the existing CodeQL and Bandit workflows provide adequate coverage.

Suggested change
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow integrates a collection of open source static analysis tools
# with GitHub code scanning. For documentation, or to provide feedback, visit
# https://github.com/github/ossar-action
name: OSSAR
on:
push:
branches: [ "main" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "main" ]
schedule:
- cron: '0 0 * * */3'
permissions:
contents: read
jobs:
OSSAR-Scan:
# OSSAR runs on windows-latest.
# ubuntu-latest and macos-latest support coming soon
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: windows-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
# Ensure a compatible version of dotnet is installed.
# The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201.
# A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action.
# GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped.
# For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action:
# - name: Install .NET
# uses: actions/setup-dotnet@v4
# with:
# dotnet-version: '3.1.x'
# Run open source static analysis tools
- name: Run OSSAR
uses: github/ossar-action@v1
id: ossar
# Upload results to the Security tab
- name: Upload OSSAR results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.ossar.outputs.sarifFile }}
# Deprecated workflow (OSSAR) removed.
# This repository is a Python project and already uses CodeQL and Bandit
# for static analysis and security scanning.
#
# The previous OSSAR-based workflow was designed primarily for .NET on
# Windows runners and provided limited additional value, so it has been
# intentionally disabled/removed.

Copilot uses AI. Check for mistakes.
Comment on lines +47 to +56
Copy link

Copilot AI Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The OSSAR action is using version v1 (github/ossar-action@v1). According to the official OSSAR repository, this action has been deprecated and archived by GitHub. The repository states that OSSAR is no longer maintained and recommends using other tools like CodeQL for security analysis.

Since this is a deprecated action, it should not be added to the workflow. The repository already has CodeQL configured which provides comprehensive security analysis for Python code.

Suggested change
# Run open source static analysis tools
- name: Run OSSAR
uses: github/ossar-action@v1
id: ossar
# Upload results to the Security tab
- name: Upload OSSAR results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.ossar.outputs.sarifFile }}

Copilot uses AI. Check for mistakes.
Loading