Skip to content

About Infer# is an interprocedural and scalable static code analyzer for C#. Via the capabilities of Facebook's Infer, this tool detects null dereferences, resource leaks, and thread-safety violations. It also performs taint flow tracking to detect critical security vulnerabilities like SQL injections.

License

Notifications You must be signed in to change notification settings

christopher-watanabe-snkeos/infersharpaction

 
 

Repository files navigation

Infer# GitHub Action

Infer# is an interprocedural and scalable static code analyzer for C#. Via the capabilities of Facebook's Infer, this tool detects race condition, null pointer dereferences and resource leaks. It also performs taint flow tracking to detect critical security vulnerabilities like SQL injections. Its source code can be found here.

Sample Report

Usage

Option 1 - Uploading SARIF output to GitHub

- name: Run Infer#      
  uses: microsoft/[email protected]
  id: runinfersharp
  with:
    binary-path: '<path to the binary directory containing .dlls and .pdbs>'

- name: Upload SARIF output to GitHub Security Center
  uses: github/codeql-action/upload-sarif@v2
  with:
    sarif_file: infer-out/report.sarif

You can view and manage the results at the Security tab -> Code scanning alerts. For example, if an alert is a false positive, you can dismiss it. Next time code scanning runs, the same code won't generate an alert. For all supported features, please see GitHub Docs on managing alerts.

Option 2 - Displaying results directly in workflow logs

- name: Run Infer#      
  uses: microsoft/[email protected]
  id: runinfersharp
  with:
    binary-path: '<path to the binary directory containing .dlls and .pdbs>'

- name: Infer# analysis results
  run: echo "${{ steps.runinfersharp.outputs.results }}"

Option 3 - Uploading results as an artifact

- name: Run Infer#      
  uses: microsoft/[email protected]
  id: runinfersharp
  with:
    binary-path: '<path to the binary directory containing .dlls and .pdbs>'

- name: Upload Infer# report as an artifact
  uses: actions/upload-artifact@v2
  with:
    name: report
    path: infer-out/report.txt

Parameters

binary-path

Required Path to the binary directory containing .dlls and .pdbs.

optional-flags

See https://fbinfer.com/docs/man-infer-run/#OPTIONS for the complete list.

You can concatenate multiple flags with space.

Limitations

  • GitHub does not currently support Linux containers hosted on Windows; your CI pipeline must run on Linux. If it doesn't, you may still apply the analyzer by creating a dependent workflow which transports the binaries to a Linux host on which to run the analysis.

  • If the project is too large, the analysis may time out.

  • The analyzer may report warnings outside of your own code. This is because it runs on all input .pdbs, including those belonging to third-party library references. To prevent this, isolate the desired binaries in the input binary-path directory.

Troubleshooting

  • Please see here for troubleshooting tips.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

About

About Infer# is an interprocedural and scalable static code analyzer for C#. Via the capabilities of Facebook's Infer, this tool detects null dereferences, resource leaks, and thread-safety violations. It also performs taint flow tracking to detect critical security vulnerabilities like SQL injections.

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Shell 94.8%
  • Dockerfile 5.2%