Archived, see motivation here https://github.com/tomasbjerre/violation-comments-to-github-lib
This is a GitHub action that can comment pull requests with results form static code analysis. It supports many different formats.
It uses Violation Comments To GitHub Command Line .
Parsers and parameters are documented in the command line tool:
https://github.com/tomasbjerre/violation-comments-to-github-command-line
Example:
- name: Violation Comments Action
uses: tomasbjerre/violation-comments-action@master
with:
parser: FINDBUGS
regexp: '.*spotbugs/main\.xml$'
You may set some other optional options:
- name: Violation Comments Action
uses: tomasbjerre/violation-comments-action@master
with:
parser: FINDBUGS
regexp: '.*spotbugs/main\.xml$'
# Optional config below
keepOldComments: true # remove the old comments, or keep them
commentTemplate: '{{violation.message}}' # see https://github.com/tomasbjerre/violation-comments-lib
maxNumberOfViolations: 99 # Will only post this many comments
severity: INFO # INFO, WARN or ERROR
commentOnlyChangedContent: true # Comment only if violations in the changed part of PR
commentOnlyChangedFiles: true # Comment only on the files that are changed in PR
createSingleFileComments: true # Comment several comments, for each violation
createCommentWithAllSingleFileComments: false # Create on big comment with all violations
You may want to set keepOldComments: false
first if you invoke it several times in same pipeline:
- name: Spotbugs
uses: tomasbjerre/violation-comments-action@master
with:
parser: FINDBUGS
regexp: '.*spotbugs/main\.xml$'
keepOldComments: false
- name: Checkstyle
uses: tomasbjerre/violation-comments-action@master
with:
parser: CHECKSTYLE
regexp: '.*checkstyle/main\.xml$'
keepOldComments: true
You can set a custom template like this:
- name: create template
run: |
VIOLATION_TEMPLATE=$(cat << EOF
{{violation.message}}
EOF
)
echo "VIOLATION_TEMPLATE<<EOF" >> $GITHUB_ENV
echo "$VIOLATION_TEMPLATE" >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
- name: Spotbugs
uses: tomasbjerre/violation-comments-action@master
with:
parser: FINDBUGS
regexp: '.*spotbugs/main\.xml$'
commentTemplate: ${{ env.VIOLATION_TEMPLATE }}
To make it run only on pull requests, you can do:
jobs:
static-code-analysis:
if: ${{ github.event_name == 'pull_request' || github.head_ref != github.base_ref }} # if it is a PR build
Also example here.
A number of parsers have been implemented. Some parsers can parse output from several reporters.
Reporter | Parser | Notes |
---|---|---|
ARM-GCC | CLANG |
|
AndroidLint | ANDROIDLINT |
|
Ansible-Later | ANSIBLELATER |
With json format |
AnsibleLint | FLAKE8 |
With -p |
Bandit | CLANG |
With bandit -r examples/ -f custom -o bandit.out --msg-template "{abspath}:{line}: {severity}: {test_id}: {msg}" |
CLang | CLANG |
|
CPD | CPD |
|
CPPCheck | CPPCHECK |
With cppcheck test.cpp --output-file=cppcheck.xml --xml |
CPPLint | CPPLINT |
|
CSSLint | CSSLINT |
|
Checkstyle | CHECKSTYLE |
|
CloudFormation Linter | JUNIT |
cfn-lint . -f junit --output-file report-junit.xml |
CodeClimate | CODECLIMATE |
|
CodeNarc | CODENARC |
|
Dart | MACHINE |
With dart analyze --format=machine |
Dependency Check | SARIF |
Using --format SARIF |
Detekt | CHECKSTYLE |
With --output-format xml . |
DocFX | DOCFX |
|
Doxygen | CLANG |
|
ERB | CLANG |
With erb -P -x -T '-' "${it}" | ruby -c 2>&1 >/dev/null | grep '^-' | sed -E 's/^-([a-zA-Z0-9:]+)/${filename}\1 ERROR:/p' > erbfiles.out . |
ESLint | CHECKSTYLE |
With format: 'checkstyle' . |
Findbugs | FINDBUGS |
|
Flake8 | FLAKE8 |
|
FxCop | FXCOP |
|
GCC | CLANG |
|
GHS | GHS |
|
Gendarme | GENDARME |
|
Generic reporter | GENERIC |
Will create one single violation with all the content as message. |
GoLint | GOLINT |
|
GoVet | GOLINT |
Same format as GoLint. |
GolangCI-Lint | CHECKSTYLE |
With --out-format=checkstyle . |
GoogleErrorProne | GOOGLEERRORPRONE |
|
HadoLint | CHECKSTYLE |
With -f checkstyle |
IAR | IAR |
With --no_wrap_diagnostics |
Infer | PMD |
Facebook Infer. With --pmd-xml . |
JACOCO | JACOCO |
|
JCReport | JCREPORT |
|
JSHint | JSLINT |
With --reporter=jslint or the CHECKSTYLE parser with --reporter=checkstyle |
JUnit | JUNIT |
It only contains the failures. |
KTLint | CHECKSTYLE |
|
Klocwork | KLOCWORK |
|
KotlinGradle | KOTLINGRADLE |
Output from Kotlin Gradle Plugin. |
KotlinMaven | KOTLINMAVEN |
Output from Kotlin Maven Plugin. |
Lint | LINT |
A common XML format, used by different linters. |
MSBuildLog | MSBULDLOG |
With -fileLogger use .*msbuild\\.log$ as pattern or -fl -flp:logfile=MyProjectOutput.log;verbosity=diagnostic for a custom output filename |
MSCpp | MSCPP |
|
Mccabe | FLAKE8 |
|
MyPy | MYPY |
|
NullAway | GOOGLEERRORPRONE |
Same format as Google Error Prone. |
PCLint | PCLINT |
PC-Lint using the same output format as the Jenkins warnings plugin, details here |
PHPCS | CHECKSTYLE |
With phpcs api.php --report=checkstyle . |
PHPPMD | PMD |
With phpmd api.php xml ruleset.xml . |
PMD | PMD |
|
Pep8 | FLAKE8 |
|
PerlCritic | PERLCRITIC |
|
PiTest | PITEST |
|
ProtoLint | PROTOLINT |
|
Puppet-Lint | CLANG |
With -log-format %{fullpath}:%{line}:%{column}: %{kind}: %{message} |
PyDocStyle | PYDOCSTYLE |
|
PyFlakes | FLAKE8 |
|
PyLint | PYLINT |
With pylint --output-format=parseable . |
ReSharper | RESHARPER |
|
RubyCop | CLANG |
With rubycop -f clang file.rb |
SARIF | SARIF |
v2.x. Microsoft Visual C# can generate it with ErrorLog="BuildErrors.sarif,version=2" . |
SbtScalac | SBTSCALAC |
|
Scalastyle | CHECKSTYLE |
|
Semgrep | SEMGREP |
With --json . |
Simian | SIMIAN |
|
Sonar | SONAR |
With mvn sonar:sonar -Dsonar.analysis.mode=preview -Dsonar.report.export.path=sonar-report.json . Removed in 7.7, see SONAR-11670 but can be retrieved with: curl --silent 'http://sonar-server/api/issues/search?componentKeys=unique-key&resolved=false' | jq -f sonar-report-builder.jq > sonar-report.json . |
Spotbugs | FINDBUGS |
|
StyleCop | STYLECOP |
|
SwiftLint | CHECKSTYLE |
With --reporter checkstyle . |
TSLint | CHECKSTYLE |
With -t checkstyle |
Valgrind | VALGRIND |
With --xml=yes . |
XMLLint | XMLLINT |
|
XUnit | XUNIT |
It only contains the failures. |
YAMLLint | YAMLLINT |
With -f parsable |
ZPTLint | ZPTLINT |
51 parsers and 78 reporters.
Missing a format? Open an issue here!