CodeScanning::Rubocop
'code-scanning-rubocop' is a gem to integrate RuboCop and the GitHub's code scanning feature. The repository is composed by two components. The gem which can be installed in any ruby application and a default GitHub action to ease the usage of it.
The rubygem adds a SARIF exporter to the rubocop runner. GitHub's code scanning feature accepts a SARIF file with the 'results' (alerts) generated by the tool. The action, is what will run rubocop with the exporter. Note: you can only run the gem within your application, and have our own action that calls rubocop. See more in the Installation and Usage sections.
This is how it would look in your Security tab:
Action Installation
The easiest way to install the integration, is this action template bellow. It will install the gem in your app and run it for you within the GitHub's action enviroment. To install the action create a file .github/workflows/rubocop-analysis.yml
like the following:
# .github/workflows/rubocop-analysis.yml
name: "RuboCop"
on: [push]
jobs:
rubocop:
runs-on: ubuntu-latest
strategy:
fail-fast: false
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Set up Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: 2.6
# This step is not necessary if you add the gem to your Gemfile
- name: Install Code Scanning integration
run: bundle add code-scanning-rubocop --skip-install
- name: Install dependencies
run: bundle install
- name: RuboCop run
run: |
bash -c "
bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
[[ $? -ne 2 ]]
"
- name: Upload Sarif output
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: rubocop.sarif
Gem installation & usage in a custom action
Note: this is not necessary if you use the action above.
To install the gem add this line to your application's Gemfile:
gem 'code-scanning-rubocop'
Then, in your custom GitHub's action, you need to run rubocop and make sure you give it the SarifFormatter:
bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
As a last step, make sure you upload the rubocop.sarif
file to the code-scan integration. That will create the Code Scanning alerts.
Thus, add this step to your custom rubocop workflow:
- name: Upload Sarif output
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: rubocop.sarif
Contributing
Bug reports and pull requests are welcome on GitHub at https://github.com/arthurnn/code-scanning-rubocop. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the code of conduct.
License
The gem is available as open source under the terms of the MIT License.
Code of Conduct
Everyone interacting in the Code::Scanning::Rubocop project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.