This action runs checksec.sh on ELF and winchecksec on PE binaries and reports any missing compilation flags that should be enabled as either errors or warnings. If there are any errors it returns non zero, failing the job. If GITHUB_TOKEN
and GITHUB_COMMENT_URL
is passed as env
variables the action will report on the PR as comments. The table of all flags can be disabled by setting the input print_flag_table
to "off"
.
Example workflow building on windows and then running winchecksec on artifacts.
Note: the only ubuntu version it runs on is ubuntu-20.04 for now.
on: [push, pull_request]
jobs:
build:
runs-on: windows-latest
steps:
- uses: actions/checkout@v1
- name: build
run: |
cmake . -G "Visual Studio 16 2019" -A x64
cmake --build . --verbose
- uses: nevun/action-checksec@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_COMMENT_URL: ${{ github.event.pull_request.comments_url }}
with:
executables: |
"Debug/test.exe"
"Debug/more_test.exe"
libraries: |
"Debug/foo.dll"
executables
, libraries
and verbose
are optional inputs.
If you pass the GITHUB_TOKEN and GITHUB_COMMENT_URL as env variables the action will also post comments on a PR instead of just in the job log.
If the action fails on windows it might be because it has a hardcoded path to python 3.9.0 in the hosted tool cache.
As a workaround until the action gets updated, add this above uses: nevun/action-checksec
:
- uses: actions/setup-python@v2
with:
python-version: '3.9.x'