Run Seqra static analysis in your CI, generate a SARIF report, and optionally upload it to GitHub Code Scanning.
Note: The action expects Linux runners.
Seqra analyzes compiled bytecode of your project. Before running this action, ensure your CI environment is configured to compile the project. For example:
- Java/Kotlin projects: Set up a JDK using
actions/setup-java@v5
name: Seqra Analysis
on:
workflow_dispatch
jobs:
seqra:
runs-on: ubuntu-latest
steps:
- name: Checkout your repository
uses: actions/checkout@v6
- name: Set up JDK
uses: actions/setup-java@v5
with:
distribution: 'temurin'
java-version: '21'
- name: Run Seqra code analysis
uses: seqra/seqra-action@v2name: Seqra Analysis
on:
workflow_dispatch
# Required for Code Scanning upload
permissions:
contents: read
security-events: write
jobs:
seqra:
runs-on: ubuntu-latest
steps:
- name: Checkout your repository
uses: actions/checkout@v6
- name: Set up JDK
uses: actions/setup-java@v5
with:
distribution: 'temurin'
java-version: '21'
- name: Run Seqra code analysis
uses: seqra/seqra-action@v2
with:
upload-sarif: 'true'
artifact-name: 'sarif'name: Seqra Analysis
on:
workflow_dispatch
# Required for Code Scanning upload
permissions:
contents: read
security-events: write
jobs:
seqra:
runs-on: ubuntu-latest
steps:
- name: Checkout your repository
uses: actions/checkout@v6
- name: Set up JDK
uses: actions/setup-java@v5
with:
distribution: 'temurin'
java-version: '21'
- name: Run Seqra code analysis
uses: seqra/seqra-action@v2
with:
# Relative path under $GITHUB_WORKSPACE to the root of the analyzed project
project-root: '.'
# Should seqra-action upload sarif to GitHub Code Security
upload-sarif: 'false'
# Seqra version selector:
# - latest (latest stable)
# - v2 (latest stable in major v2)
# - v2.5 (latest stable in minor v2.5)
# - v2.5.1 (exact)
# Default is 'v2'
seqra-version: 'v2'
# Paths to custom rules directories (comma-separated)
# By default it uses builtin rules
rules-path: 'builtin'
# Name of uploaded artifact
artifact-name: 'seqra.sarif'
# Log level
verbosity: 'info'
# Scan timeout
timeout: '15m'
# Severity levels to report (comma-separated)
# Valid values: note, warning, error
severity: 'warning,error'After the job completes, you’ll find:
- A SARIF artifact named
sarif(configurable) will be uploaded to the workflow run. - If
upload-sarif: 'true', the SARIF is also sent to Security → Code scanning alerts in your repo.
seqra-version supports flexible selectors so you do not need to update this action for every Seqra release:
latest- always use the latest stable releasev2- use the latest stable release in major version 2 (default)v2.5- use the latest stable patch in minor version 2.5v2.5.1- pin an exact release
Examples:
with:
seqra-version: 'latest'with:
seqra-version: 'v2.5'-
For artifact upload: default permissions are fine.
-
For Code Scanning upload: add
permissions: contents: read security-events: write
- "Compilation has failed:" Seqra needs to compile your project to analyze bytecode. Ensure you have set up the required build tools (e.g., JDK via
actions/setup-java@v5) before running this action. See Prerequisites. - Monorepos: You can analyze only the project you need using
project-root. - Timeouts: If the scan times out, increase
timeout(e.g.,30m).
See CHANGELOG.
This project is released under the MIT License.
The core analysis engine is source-available under the Functional Source License (FSL-1.1-ALv2), which converts to Apache 2.0 two years after each release. You can use Seqra for free, including for commercial use, except for competing products or services.