sqc 0.4.13

Software Code Quality - CERT C compliance checker
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

# SqC Static Analysis - GitHub Actions Example Workflow
#
# This workflow runs SqC CERT C analysis on your C/C++ codebase.
# - On PRs: analyzes only changed files (--diff mode)
# - On push to main: full repository scan
# - Uploads SARIF results to GitHub Code Scanning
#
# Prerequisites:
#   - SqC must be built or available as a binary
#   - A sqc-rules.toml manifest (or use built-in defaults)

name: SqC CERT C Analysis

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

env:
  CARGO_TERM_COLOR: always

jobs:
  build:
    name: Build SqC
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Cache Cargo registry and build
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry
            ~/.cargo/git
            target
          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-cargo-

      - name: Build SqC
        run: cargo build --release

      - name: Upload SqC binary
        uses: actions/upload-artifact@v4
        with:
          name: sqc-binary
          path: target/release/sqc
          retention-days: 1

  analyze-pr:
    name: Analyze PR (diff only)
    if: github.event_name == 'pull_request'
    needs: build
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Full history for --diff mode

      - name: Download SqC binary
        uses: actions/download-artifact@v4
        with:
          name: sqc-binary

      - name: Make SqC executable
        run: chmod +x sqc

      - name: Run SqC (diff mode)
        run: |
          ./sqc . --diff \
            --min-severity Medium \
            --fail-on-severity High \
            --export results.sarif

      - name: Upload SARIF to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: results.sarif

  analyze-full:
    name: Full Analysis
    if: github.event_name == 'push'
    needs: build
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4

      - name: Download SqC binary
        uses: actions/download-artifact@v4
        with:
          name: sqc-binary

      - name: Make SqC executable
        run: chmod +x sqc

      - name: Run SqC (full scan)
        run: |
          ./sqc . -d . \
            --min-severity Medium \
            --fail-on-severity High \
            --export results.sarif

      - name: Upload SARIF to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: results.sarif