Violation Comments Action

---

Archived, see motivation here https://github.com/tomasbjerre/violation-comments-to-github-lib

This is a GitHub action that can comment pull requests with results form static code analysis. It supports many different formats.

It uses Violation Comments To GitHub Command Line .

Usage

Parsers and parameters are documented in the command line tool:

https://github.com/tomasbjerre/violation-comments-to-github-command-line

Example:

- name: Violation Comments Action
  uses: tomasbjerre/violation-comments-action@master
  with:
    parser: FINDBUGS
    regexp: '.*spotbugs/main\.xml$'

You may set some other optional options:

- name: Violation Comments Action
  uses: tomasbjerre/violation-comments-action@master
  with:
    parser: FINDBUGS
    regexp: '.*spotbugs/main\.xml$'
    # Optional config below
    keepOldComments: true # remove the old comments, or keep them
    commentTemplate: '{{violation.message}}' # see https://github.com/tomasbjerre/violation-comments-lib
    maxNumberOfViolations: 99 # Will only post this many comments
    severity: INFO # INFO, WARN or ERROR
    commentOnlyChangedContent: true # Comment only if violations in the changed part of PR
    commentOnlyChangedFiles: true # Comment only on the files that are changed in PR
    createSingleFileComments: true # Comment several comments, for each violation
    createCommentWithAllSingleFileComments: false # Create on big comment with all violations

You may want to set keepOldComments: false first if you invoke it several times in same pipeline:

- name: Spotbugs
  uses: tomasbjerre/violation-comments-action@master
  with:
    parser: FINDBUGS
    regexp: '.*spotbugs/main\.xml$'
    keepOldComments: false
- name: Checkstyle
  uses: tomasbjerre/violation-comments-action@master
  with:
    parser: CHECKSTYLE
    regexp: '.*checkstyle/main\.xml$'
    keepOldComments: true

You can set a custom template like this:

- name: create template
  run: |
    VIOLATION_TEMPLATE=$(cat << EOF
{{violation.message}}
    EOF
    )
    echo "VIOLATION_TEMPLATE<<EOF" >> $GITHUB_ENV
    echo "$VIOLATION_TEMPLATE" >> $GITHUB_ENV
    echo "EOF" >> $GITHUB_ENV
- name: Spotbugs
  uses: tomasbjerre/violation-comments-action@master
  with:
    parser: FINDBUGS
    regexp: '.*spotbugs/main\.xml$'
    commentTemplate: ${{ env.VIOLATION_TEMPLATE }}

To make it run only on pull requests, you can do:

jobs:
  static-code-analysis:
    if: ${{ github.event_name == 'pull_request' || github.head_ref != github.base_ref }} # if it is a PR build

Also example here.

A number of parsers have been implemented. Some parsers can parse output from several reporters.

Reporter	Parser	Notes
ARM-GCC	CLANG
AndroidLint	ANDROIDLINT
Ansible-Later	ANSIBLELATER	With json format
AnsibleLint	FLAKE8	With -p
Bandit	CLANG	With bandit -r examples/ -f custom -o bandit.out --msg-template "{abspath}:{line}: {severity}: {test_id}: {msg}"
CLang	CLANG
CPD	CPD
CPPCheck	CPPCHECK	With cppcheck test.cpp --output-file=cppcheck.xml --xml
CPPLint	CPPLINT
CSSLint	CSSLINT
Checkstyle	CHECKSTYLE
CloudFormation Linter	JUNIT	cfn-lint . -f junit --output-file report-junit.xml
CodeClimate	CODECLIMATE
CodeNarc	CODENARC
Dart	MACHINE	With dart analyze --format=machine
Dependency Check	SARIF	Using --format SARIF
Detekt	CHECKSTYLE	With --output-format xml.
DocFX	DOCFX
Doxygen	CLANG
ERB	CLANG	With erb -P -x -T '-' "${it}" | ruby -c 2>&1 >/dev/null | grep '^-' | sed -E 's/^-([a-zA-Z0-9:]+)/${filename}\1 ERROR:/p' > erbfiles.out.
ESLint	CHECKSTYLE	With format: 'checkstyle'.
Findbugs	FINDBUGS
Flake8	FLAKE8
FxCop	FXCOP
GCC	CLANG
GHS	GHS
Gendarme	GENDARME
Generic reporter	GENERIC	Will create one single violation with all the content as message.
GoLint	GOLINT
GoVet	GOLINT	Same format as GoLint.
GolangCI-Lint	CHECKSTYLE	With --out-format=checkstyle.
GoogleErrorProne	GOOGLEERRORPRONE
HadoLint	CHECKSTYLE	With -f checkstyle
IAR	IAR	With --no_wrap_diagnostics
Infer	PMD	Facebook Infer. With --pmd-xml.
JACOCO	JACOCO
JCReport	JCREPORT
JSHint	JSLINT	With --reporter=jslint or the CHECKSTYLE parser with --reporter=checkstyle
JUnit	JUNIT	It only contains the failures.
KTLint	CHECKSTYLE
Klocwork	KLOCWORK
KotlinGradle	KOTLINGRADLE	Output from Kotlin Gradle Plugin.
KotlinMaven	KOTLINMAVEN	Output from Kotlin Maven Plugin.
Lint	LINT	A common XML format, used by different linters.
MSBuildLog	MSBULDLOG	With -fileLogger use .*msbuild\\.log$ as pattern or -fl -flp:logfile=MyProjectOutput.log;verbosity=diagnostic for a custom output filename
MSCpp	MSCPP
Mccabe	FLAKE8
MyPy	MYPY
NullAway	GOOGLEERRORPRONE	Same format as Google Error Prone.
PCLint	PCLINT	PC-Lint using the same output format as the Jenkins warnings plugin, details here
PHPCS	CHECKSTYLE	With phpcs api.php --report=checkstyle.
PHPPMD	PMD	With phpmd api.php xml ruleset.xml.
PMD	PMD
Pep8	FLAKE8
PerlCritic	PERLCRITIC
PiTest	PITEST
ProtoLint	PROTOLINT
Puppet-Lint	CLANG	With -log-format %{fullpath}:%{line}:%{column}: %{kind}: %{message}
PyDocStyle	PYDOCSTYLE
PyFlakes	FLAKE8
PyLint	PYLINT	With pylint --output-format=parseable.
ReSharper	RESHARPER
RubyCop	CLANG	With rubycop -f clang file.rb
SARIF	SARIF	v2.x. Microsoft Visual C# can generate it with ErrorLog="BuildErrors.sarif,version=2".
SbtScalac	SBTSCALAC
Scalastyle	CHECKSTYLE
Semgrep	SEMGREP	With --json.
Simian	SIMIAN
Sonar	SONAR	With mvn sonar:sonar -Dsonar.analysis.mode=preview -Dsonar.report.export.path=sonar-report.json. Removed in 7.7, see SONAR-11670 but can be retrieved with: curl --silent 'http://sonar-server/api/issues/search?componentKeys=unique-key&resolved=false' | jq -f sonar-report-builder.jq > sonar-report.json.
Spotbugs	FINDBUGS
StyleCop	STYLECOP
SwiftLint	CHECKSTYLE	With --reporter checkstyle.
TSLint	CHECKSTYLE	With -t checkstyle
Valgrind	VALGRIND	With --xml=yes.
XMLLint	XMLLINT
XUnit	XUNIT	It only contains the failures.
YAMLLint	YAMLLINT	With -f parsable
ZPTLint	ZPTLINT

51 parsers and 78 reporters.

Missing a format? Open an issue here!