This topic explains how to review the results of static analysis withC/C++test on GitHub.

Introduction

To display results of static analysis as GitHub code scanning alerts, you need to upload the results to GitHub in the SARIF (Static Analysis Results Interchange Format) format. Parasoft provides a GitHub action that allows you to run C/C++test and automatically generate a SARIF report to be uploaded to GitHub. Alternatively, you can run analysis independently of GitHub and then manually upload the results.

For your convenience, we recommend running analysis and uploading results to GitHub using the GitHub action.

Uploading Results to GitHub with the GitHub Action (Recommended)

Add the  Run Parasoft C/C++test action to your GitHub workflow file. The action automatically generates a SARIF report when the workflow executes. The report can then be uploaded to GitHub to enable reviewing the results as GitHub scanning alerts directly in your project. See the details at https://github.com/marketplace/actions/run-parasoft-c-c-test.

Manually Uploading Results to GitHub

If you want to run analysis outside of your GitHub workflow and manually upload the SARIF report to GitHub, you need to configure the SARIF report format and ensure that your GitHub repository is properly configured with C/C++test settings.

  1. Ensure that the settings for Git are properly configured in the cpptesttcli.properties. See Connecting to Source Control and Git Source Control Settings for details.

  2. Configure C/C++test to include information about repositories, file paths, and revisions in the C/C++test report by setting the report.scontrol option to min or full; see report.scontrol.

  3. Configure C/C++test to generate the report in the SARIF format; see report.format.

  4. Upload the SARIF report to GitHub; see GitHub Docs for details.

  • No labels