This topic explains how to review the results of static analysis withdotTEST on GitHub.
Introduction
To display results of static analysis as GitHub code scanning alerts, you need to upload the results to GitHub in the SARIF (Static Analysis Results Interchange Format) format. Parasoft provides a GitHub action that allows you to run dotTEST and automatically generate a SARIF report to be uploaded to GitHub. Alternatively, you can run analysis independently of GitHub and then manually upload the results.
For your convenience, we recommend running analysis and uploading results to GitHub using the GitHub action.
Uploading Results to GitHub with the GitHub Action (Recommended)
Add the Run Parasoft dotTEST action to your GitHub workflow file. The action automatically generates a SARIF report when the workflow executes. The report can then be uploaded to GitHub to enable reviewing the results as GitHub scanning alerts directly in your project. See the details at https://github.com/marketplace/actions/run-parasoft-dottest.
Manually Uploading Results to GitHub
If you want to run analysis outside of your GitHub workflow and manually upload the SARIF report to GitHub, you need to configure the SARIF report format and ensure that your GitHub repository is properly configured with dotTEST settings.
Ensure that the settings for Git are properly configured in the dottestcli.properties. See Connecting to Source Control and Git Source Control Settings for details.
Configure dotTEST information about repositories, file paths, and revisions in the dotTEST report by setting the
report.scontrol
option tomin
orfull
; see report.scontrol.Configure dotTEST to generate the report in the SARIF format; see report.format.
- Upload the SARIF report to GitHub; see GitHub Docs for details.