Seqra security code analysis
ActionsTags
(2)Run Seqra static analysis in your CI, generate a SARIF report, and optionally upload it to GitHub Code Scanning.
Note: The action expects Linux x86_64 runners.
Seqra analyzes compiled bytecode of your project. Before running this action, ensure your CI environment is configured to compile the project. For example:
- Java/Kotlin projects: Set up a JDK using
actions/setup-java@v5
name: Seqra Analysis
on:
workflow_dispatch
jobs:
seqra:
runs-on: ubuntu-latest
steps:
- name: Checkout your repository
uses: actions/checkout@v6
- name: Set up JDK
uses: actions/setup-java@v5
with:
distribution: 'temurin'
java-version: '21'
- name: Run Seqra code analysis
uses: seqra/seqra-action@v2name: Seqra Analysis
on:
workflow_dispatch
# Required for Code Scanning upload
permissions:
contents: read
security-events: write
jobs:
seqra:
runs-on: ubuntu-latest
steps:
- name: Checkout your repository
uses: actions/checkout@v6
- name: Set up JDK
uses: actions/setup-java@v5
with:
distribution: 'temurin'
java-version: '21'
- name: Run Seqra code analysis
uses: seqra/seqra-action@v2
with:
upload-sarif: 'true'
artifact-name: 'sarif'name: Seqra Analysis
on:
workflow_dispatch
# Required for Code Scanning upload
permissions:
contents: read
security-events: write
jobs:
seqra:
runs-on: ubuntu-latest
steps:
- name: Checkout your repository
uses: actions/checkout@v6
- name: Set up JDK
uses: actions/setup-java@v5
with:
distribution: 'temurin'
java-version: '21'
- name: Run Seqra code analysis
uses: seqra/seqra-action@v2
with:
# Relative path under $GITHUB_WORKSPACE to the root of the analyzed project
project-root: '.'
# Should seqra-action upload sarif to GitHub Code Security
upload-sarif: 'false'
# Tag of seqra release
seqra-version: 'v2.3.0'
# Paths to custom rules directories (comma-separated)
# By default it is empty, so seqra will use builtin rules
rules-path: 'security/myrules'
# Name of uploaded artifact
artifact-name: 'sarif'
# Log level
verbosity: 'info'
# Scan timeout
timeout: '15m'
# Severity levels to report (comma-separated)
# Valid values: note, warning, error
severity: 'warning,error'After the job completes, you’ll find:
- A SARIF artifact named
sarif(configurable) will be uploaded to the workflow run. - If
upload-sarif: 'true', the SARIF is also sent to Security → Code scanning alerts in your repo.
-
For artifact upload: default permissions are fine.
-
For Code Scanning upload: add
permissions: contents: read security-events: write
- "Compilation has failed:" Seqra needs to compile your project to analyze bytecode. Ensure you have set up the required build tools (e.g., JDK via
actions/setup-java@v5) before running this action. See Prerequisites. - Monorepos: You can analyze only the project you need using
project-root. - Timeouts: If the scan times out, increase
timeout(e.g.,30m).
See CHANGELOG.
This project is released under the MIT License.
The core analysis engine is source-available under the Functional Source License (FSL-1.1-ALv2), which converts to Apache 2.0 two years after each release. You can use Seqra for free, including for commercial use, except for competing products or services.
Seqra security code analysis is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.
Tags
(2)Seqra security code analysis is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.