-
Notifications
You must be signed in to change notification settings - Fork 270
154 lines (134 loc) · 4.16 KB
/
codeql.yml
File metadata and controls
154 lines (134 loc) · 4.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
# .-.-. .-.-. .-.-. .-.-. .-.-. .-.-. .-.-. .-.- .-.-. .-.-. .-.-
# / / \ \ / / \ \ / / \ \ / / \ \ / / \ \ / / \ \ / / \ \ / / \ / / \ \ / / \ \ / / \
# `-' `-`-' `-`-' `-`-' `-`-' `-`-' `-`-' `-' `-`-' `-`-' `-`-'
#
# CodeQL
#
# This workflow replaces the GitHub CodeQL extension to support fork PRs.
# The extension doesn't trigger on fork PRs due to security restrictions.
# This workflow uses the pull_request event which works for all PRs.
#
# .-.-. .-.-. .-.-. .-.-. .-.-. .-.-. .-.-. .-.- .-.-. .-.-. .-.-
# / / \ \ / / \ \ / / \ \ / / \ \ / / \ \ / / \ \ / / \ \ / / \ / / \ \ / / \ \ / / \
# `-' `-`-' `-`-' `-`-' `-`-' `-`-' `-`-' `-`-' `-' `-`-' `-`-'
name: CodeQL
on:
push:
branches:
- main
- develop
pull_request:
branches:
- main
- develop
merge_group:
# Required for GitHub merge queue
branches:
- main
- develop
schedule:
# Run weekly security scans every Monday at midnight UTC
- cron: '0 0 * * 1'
# Cancel in-progress runs when a new commit is pushed
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
# Minimal permissions for fork PRs
# Results are uploaded to Security tab and posted as checks
permissions:
contents: read
security-events: write
actions: read
jobs:
analyze:
name: CodeQL Analysis
runs-on: ubuntu-latest
timeout-minutes: 15
strategy:
fail-fast: false
matrix:
language: ['javascript-typescript']
# Skip autobuild - CodeQL can analyze source code directly
# No need to compile or install dependencies for static analysis
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
submodules: 'true'
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
build-mode: none
# Use default queries plus security-extended for more coverage
queries: security-extended
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: "/language:${{ matrix.language }}"
dockerfile:
name: Dockerfile Lint
runs-on: ubuntu-latest
timeout-minutes: 5
needs: analyze
permissions:
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Run Hadolint
uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Dockerfile
format: sarif
output-file: hadolint.sarif
no-fail: true
- name: Upload Hadolint results
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: hadolint.sarif
category: "hadolint"
# Note: ShellCheck action doesn't natively support SARIF output
# Results will appear in workflow logs
shellcheck:
name: Shell Script Lint
runs-on: ubuntu-latest
timeout-minutes: 5
needs: analyze
permissions:
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Run ShellCheck
uses: ludeeus/action-shellcheck@2.0.0
with:
scandir: '.'
format: gcc
severity: warning
continue-on-error: true
# Final status check job for backwards compatibility with the old CodeQL workflow
CodeQL:
name: CodeQL
runs-on: ubuntu-latest
needs: [analyze, dockerfile, shellcheck]
if: always()
steps:
- name: Check all jobs succeeded
run: |
if [ "${{ needs.analyze.result }}" != "success" ]; then
echo "CodeQL analysis failed"
exit 1
fi
if [ "${{ needs.dockerfile.result }}" != "success" ]; then
echo "Dockerfile lint failed"
exit 1
fi
if [ "${{ needs.shellcheck.result }}" != "success" ]; then
echo "ShellCheck lint failed"
exit 1
fi
echo "All security checks passed!"