ShellCheck SARIF Analysis
ActionsTags
(2)A GitHub Action that generates SARIF analysis results by running ShellCheck on shell scripts in your repository.
This action utilizes ShellCheck (a third-party static analysis tool) to analyze shell scripts and generates results in SARIF format. The SARIF output integrates with GitHub Code Scanning to help track shell script quality and potential security issues.
- 🔍 Leverages ShellCheck for shell script analysis
- 📊 Generates SARIF format output for GitHub Code Scanning
- 🎯 Configurable file matching patterns
- ⚡ Supports multiple shell dialects (Bash, POSIX, Dash, KSH, BusyBox)
- 🔒 Built-in integration with GitHub Security features
This action depends on:
- ShellCheck - A static analysis tool for shell scripts
- Python 3.13 (automatically set up by the action)
- SARIF tooling (automatically installed by the action)
Add the following to your GitHub Actions workflow:
- name: Run ShellCheck Analysis
uses: reactive-firewall/shellcheck-scan@v1
with:
# Optional: Specify paths to scan (defaults to git-tracked shell scripts)
path: 'scripts/'
# Optional: Custom glob pattern for matching files
match: '**/*.{sh,bash,ksh}'
# Optional: Set minimum severity level (style, info, warning, error)
severity: 'warning'
# Optional: Specify shell dialect (bash, sh, dash, ksh, busybox)
shell-format: 'bash'| Input | Description | Required | Default |
|---|---|---|---|
path |
File or directory to scan | No | Auto-detected |
match |
Glob pattern for matching files | No | **/*.{bash,sh,command} |
severity |
Minimum severity level | No | style |
shell-format |
Shell dialect to use | No | AUTOMATIC |
publish-artifacts |
Upload results as artifacts | No | true |
This action requires:
- GitHub Actions
- Required permissions:
security-events: write(for uploading SARIF results)contents: read(for scanning repository contents)
name: ShellCheck Analysis
on: [push, pull_request]
jobs:
shellcheck:
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
steps:
- uses: actions/checkout@v4
- uses: reactive-firewall/shellcheck-scan@v1- uses: reactive-firewall/shellcheck-scan@v1
with:
path: 'scripts/'
severity: 'warning'
shell-format: 'bash'
match: '**/*.bash'This project is licensed under the GNU General Public License v3.0 - see the LICENSE file for details.
Contributions are welcome! Please feel free to submit a Pull Request.
If you encounter any problems, please file an issue along with a detailed description.
Last Updated: 2024-12-21
ShellCheck SARIF Analysis is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.
Tags
(2)ShellCheck SARIF Analysis is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.