CodeQL #113
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# This action is centrally managed in https://github.com/<organization>/.github/ | |
# Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in | |
# the above-mentioned repo. | |
# This workflow will analyze all supported languages in the repository using CodeQL Analysis. | |
name: "CodeQL" | |
on: | |
push: | |
branches: ["master"] | |
pull_request: | |
branches: ["master"] | |
schedule: | |
- cron: '00 12 * * 0' # every Sunday at 12:00 UTC | |
concurrency: | |
group: "${{ github.workflow }}-${{ github.ref }}" | |
cancel-in-progress: true | |
jobs: | |
languages: | |
name: Get language matrix | |
runs-on: ubuntu-latest | |
outputs: | |
matrix: ${{ steps.lang.outputs.result }} | |
continue: ${{ steps.continue.outputs.result }} | |
steps: | |
- name: Get repo languages | |
uses: actions/github-script@v7 | |
id: lang | |
with: | |
script: | | |
// CodeQL supports ['cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift'] | |
// Use only 'java' to analyze code written in Java, Kotlin or both | |
// Use only 'javascript' to analyze code written in JavaScript, TypeScript or both | |
// Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support | |
const supported_languages = ['cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift'] | |
const remap_languages = { | |
'c++': 'cpp', | |
'c#': 'csharp', | |
'kotlin': 'java', | |
'typescript': 'javascript', | |
} | |
const repo = context.repo | |
const response = await github.rest.repos.listLanguages(repo) | |
let matrix = { | |
"include": [] | |
} | |
for (let [key, value] of Object.entries(response.data)) { | |
// remap language | |
if (remap_languages[key.toLowerCase()]) { | |
console.log(`Remapping language: ${key} to ${remap_languages[key.toLowerCase()]}`) | |
key = remap_languages[key.toLowerCase()] | |
} | |
if (supported_languages.includes(key.toLowerCase())) { | |
console.log(`Found supported language: ${key}`) | |
let osList = ['ubuntu-latest']; | |
if (key.toLowerCase() === 'swift') { | |
osList = ['macos-latest']; | |
} else if (key.toLowerCase() === 'cpp') { | |
// TODO: update macos to latest after the below issue is resolved | |
// https://github.com/github/codeql-action/issues/2266 | |
osList = ['macos-13', 'ubuntu-latest', 'windows-latest']; | |
} | |
for (let os of osList) { | |
// set name for matrix | |
if (osList.length == 1) { | |
name = key.toLowerCase() | |
} else { | |
name = `${key.toLowerCase()}, ${os}` | |
} | |
// add to matrix | |
matrix['include'].push({"language": key.toLowerCase(), "os": os, "name": name}) | |
} | |
} | |
} | |
// print languages | |
console.log(`matrix: ${JSON.stringify(matrix)}`) | |
return matrix | |
- name: Continue | |
uses: actions/github-script@v7 | |
id: continue | |
with: | |
script: | | |
// if matrix['include'] is an empty list return false, otherwise true | |
const matrix = ${{ steps.lang.outputs.result }} // this is already json encoded | |
if (matrix['include'].length == 0) { | |
return false | |
} else { | |
return true | |
} | |
analyze: | |
name: Analyze (${{ matrix.name }}) | |
if: ${{ needs.languages.outputs.continue == 'true' }} | |
defaults: | |
run: | |
shell: ${{ matrix.os == 'windows-latest' && 'msys2 {0}' || 'bash' }} | |
env: | |
GITHUB_CODEQL_BUILD: true | |
needs: [languages] | |
runs-on: ${{ matrix.os || 'ubuntu-latest' }} | |
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
strategy: | |
fail-fast: false | |
matrix: ${{ fromJson(needs.languages.outputs.matrix) }} | |
steps: | |
- name: Maximize build space | |
if: >- | |
runner.os == 'Linux' && | |
matrix.language == 'cpp' | |
uses: easimon/maximize-build-space@v10 | |
with: | |
root-reserve-mb: 30720 | |
remove-dotnet: ${{ (matrix.language == 'csharp' && 'false') || 'true' }} | |
remove-android: 'true' | |
remove-haskell: 'true' | |
remove-codeql: 'false' | |
remove-docker-images: 'true' | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Setup msys2 | |
if: >- | |
runner.os == 'Windows' && | |
matrix.language == 'cpp' | |
uses: msys2/setup-msys2@v2 | |
with: | |
msystem: ucrt64 | |
update: true | |
# Initializes the CodeQL tools for scanning. | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v3 | |
with: | |
languages: ${{ matrix.language }} | |
# If you wish to specify custom queries, you can do so here or in a config file. | |
# By default, queries listed here will override any specified in a config file. | |
# Prefix the list here with "+" to use these queries and those in the config file. | |
# yamllint disable-line rule:line-length | |
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs | |
# queries: security-extended,security-and-quality | |
config: | | |
paths-ignore: | |
- build | |
- node_modules | |
- third-party | |
# Pre autobuild | |
# create a file named .codeql-prebuild-${{ matrix.language }}.sh in the root of your repository | |
# create a file named .codeql-build-${{ matrix.language }}.sh in the root of your repository | |
- name: Prebuild | |
id: prebuild | |
run: | | |
# check if prebuild script exists | |
filename=".codeql-prebuild-${{ matrix.language }}-${{ runner.os }}.sh" | |
if [ -f "./${filename}" ]; then | |
echo "Running prebuild script: ${filename}" | |
./${filename} | |
fi | |
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). | |
- name: Autobuild | |
if: steps.prebuild.outputs.skip_autobuild != 'true' | |
uses: github/codeql-action/autobuild@v3 | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v3 | |
with: | |
category: "/language:${{matrix.language}}" | |
output: sarif-results | |
upload: failure-only | |
- name: filter-sarif | |
uses: advanced-security/filter-sarif@v1 | |
with: | |
input: sarif-results/${{ matrix.language }}.sarif | |
output: sarif-results/${{ matrix.language }}.sarif | |
patterns: | | |
-build/** | |
-node_modules/** | |
-third\-party/** | |
- name: Upload SARIF | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: sarif-results/${{ matrix.language }}.sarif | |
- name: Upload loc as a Build Artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: sarif-results-${{ matrix.language }}-${{ runner.os }} | |
path: sarif-results | |
retention-days: 1 |