Skip to content

seqra/seqra-action

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
.github/workflows
.github/workflows
 
 
.releaserc.json
.releaserc.json
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 

Repository files navigation

Seqra GitHub Action

Run Seqra static analysis in your CI, generate a SARIF report, and optionally upload it to GitHub Code Scanning.

Usage

Note: The action expects Linux x86_64 runners.

Quick Start

Scan

name: Seqra Analysis
on:
    workflow_dispatch

jobs:
  seqra:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout your repository
        uses: actions/checkout@v4

      - name: Run Seqra code analysis
        uses: seqra/seqra-action@v2

Scan and upload to GitHub code scanning alerts

name: Seqra Analysis
on:
    workflow_dispatch

# Required for Code Scanning upload
permissions:
  contents: read
  security-events: write

jobs:
  seqra:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout your repository
        uses: actions/checkout@v4

      - name: Run Seqra code analysis
        uses: seqra/seqra-action@v2
        with:
          upload-sarif: 'true'
          artifact-name: 'sarif'

All Inputs

name: Seqra Analysis
on:
    workflow_dispatch

# Required for Code Scanning upload
permissions:
  contents: read
  security-events: write

jobs:
  seqra:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout your repository
        uses: actions/checkout@v4

      - name: Run Seqra code analysis
        uses: seqra/seqra-action@v2
        with:
            # Relative path under $GITHUB_WORKSPACE to the root of the analyzed project
            project-root: '.'

            # Should seqra-action upload sarif to GitHub Code Security
            upload-sarif: 'false'

            # Tag of seqra release
            seqra-version: 'v2.0.2'

            # Relative path under $GITHUB_WORKSPACE to your rules
            # By default it is empty, so seqra wil use builtin rules
            rules-path: 'security/myrules'

            # Name of uploaded artifact
            artifact-name: 'sarif'

            #Scan timeout
            timeout: '15m'

Artifacts

After the job completes, you’ll find:

  • A SARIF artifact named sarif (configurable) will be uploaded to the workflow run.
  • If upload-sarif: 'true', the SARIF is also sent to Security → Code scanning alerts in your repo.

Permissions

  • For artifact upload: default permissions are fine.

  • For Code Scanning upload: add

    permissions:
  contents: read
  security-events: write

Troubleshooting

  • Monorepos: You can analyze only the project you need using project-root.
  • Timeouts: If the scan times out, increase timeout (e.g., 30m).

Changelog

See CHANGELOG.

License

This project is released under the MIT License.

The core analysis engine is source-available under the Functional Source License (FSL-1.1-ALv2), which converts to Apache 2.0 two years after each release. You can use Seqra for free, including for commercial use, except for competing products or services.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 17

v2.0.2 Latest
Dec 26, 2025
+ 16 releases

Packages

No packages published