Run SpotBugs as a Github action.
Output type for the report. It can be 'xml', 'html', 'sarif', 'emacs' or 'xdocs'. Default value is 'sarif' as it is the used by GitHub Advanced Security.
default: 'sarif'
required: true
Comma separated list of packages to scan. It will fill the -onlyAnalyze parameter in spotbugs. It can contain the wildcards '*' and '-': com.example.* for single package or com.example.- for all subpackages.
If not specified, it will scan all packages.
See more at https://spotbugs.readthedocs.io/en/stable/running.html#text-ui-options
A string with any additional command arguments to be sent to spotbugs
The output filename. If not specified, it will use the default name 'results.[EXTENSION]'
It can be a file or a directory, it is usually the ./target folder where you compiled your project.
Path to the dependencies folder. For example, for Maven it is usually stored
in the ~/.m2 folder.
The basePath is used as a prefix in the sarif file to help GitHub find the right file of the issue. It is tipically something like 'src/main/java'.
This workflow would analyze a Java application that builds a set of packages under the com.example package name and outputs the results in sarif format to upload it to the GitHub Security tab:
name: SpotBugs
on: [push, pull_request]
jobs:
spotbugs-analyze:
name: Analyze
runs-on: ubuntu-latest
steps:
# checkout and build the project
- name: Checkout code
uses: actions/checkout@v3
- name: Set up JDK 11
uses: actions/setup-java@v3
with:
java-version: '11'
distribution: 'temurin'
cache: maven
- name: Build with Maven
run: mvn clean package -B -Dmaven.test.skip
# Run SpotBugs and upload the SARIF file
- name: Run SpotBugs action
if: always()
uses: abirismyname/spotbugs-github-action@v2
with:
packages: com.example.-
target: ./target
dependenciesPath: ~/.m2
basePath: src/main/java
- name: Upload analysis results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{github.workspace}}/results.sarif