forked from snowdreamtech/base
-
Notifications
You must be signed in to change notification settings - Fork 0
171 lines (160 loc) Β· 6.42 KB
/
Copy pathcodeql.yml
File metadata and controls
171 lines (160 loc) Β· 6.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
# Copyright (c) 2026 SnowdreamTech. All rights reserved.
# Licensed under the MIT License. See LICENSE file in the project root for full license information.
---
# CodeQL Security Analysis
# Purpose: Performs deep static analysis to detect security vulnerabilities and coding errors.
# Trigger: Push to main, weekly schedule, and manual dispatch.
# Permissions:
# - security-events: write (Required to upload SARIF results to the GitHub Security tab).
# - actions: read (Required to determine workflow run status).
# - contents: read (Required for code analysis).
# Concurrency:
# - group: ${{ github.workflow }}-${{ github.ref }} (Ensures only the latest scan results are processed).
# - cancel-in-progress: true (In-progress scans are superseded by newer commits to save resources).
# Design:
# - Utilizes advanced matrix strategy for multi-language support (Go, Python).
# - Leverages internal CodeQL autobuild for zero-config compilation where possible.
name: "π¬ CodeQL Analysis"
"on":
push:
branches:
- "main"
- "dev"
pull_request:
branches:
- "main"
- "dev"
- "feat/**"
- "branch/**"
- "feature/**"
- "fix/**"
- "pr/**"
permissions: {}
env:
UNIRTM_LOCKED: 1
jobs:
analyze:
name: "π‘οΈ Deep Semantic Analysis (${{ matrix.language }})"
runs-on: ubuntu-latest
concurrency:
group: codeql-${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}
cancel-in-progress: true
permissions:
security-events: write # Required to upload SARIF results to the GitHub Security tab
actions: read # Required to determine workflow run status
contents: read # Required for code analysis
timeout-minutes: 360 # Deep scans on large repos can take significant time
strategy:
fail-fast: false
matrix:
language:
- actions
# Uncomment the following lines when source files exist in the repo:
# - go # Go (*.go) β golangci-lint, gofmt
# - python # Python (*.py) β ruff, ansible-lint
# - javascript-typescript # JS/TS (*.js, *.ts, *.jsx, *.tsx) β eslint
# - c-cpp # C/C++/Obj-C (*.c, *.cpp, *.h) β clang-format
# - csharp # C# (*.cs) β dotnet format
# - java-kotlin # Java/Kotlin (*.java, *.kt) β ktlint
# - ruby # Ruby (*.rb) β rubocop
# - swift # Swift (*.swift) β swiftformat, swiftlint
steps:
- name: "π Harden Runner"
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
raw.githubusercontent.com:443
objects.githubusercontent.com:443
pkg-containers.githubusercontent.com:443
avatars.githubusercontent.com:443
github.com:443
packages.microsoft.com:443
archive.ubuntu.com:80
archive.ubuntu.com:443
security.ubuntu.com:80
security.ubuntu.com:443
ports.ubuntu.com:80
ports.ubuntu.com:443
keyserver.ubuntu.com:80
keyserver.ubuntu.com:443
changelogs.ubuntu.com:80
changelogs.ubuntu.com:443
deb.debian.org:80
deb.debian.org:443
security.debian.org:80
security.debian.org:443
snapshot.debian.org:80
snapshot.debian.org:443
dl.rockylinux.org:443
mirrors.rockylinux.org:443
mirror.centos.org:443
vault.centos.org:443
isv-data.centos.org:443
mirrorlist.centos.org:80
mirrorlist.centos.org:443
cdn.redhat.com:443
cdn-ubi.redhat.com:443
access.redhat.com:443
sso.redhat.com:443
dl-cdn.alpinelinux.org:443
registry.npmjs.org:443
registry.yarnpkg.com:443
pypi.org:443
files.pythonhosted.org:443
proxy.golang.org:443
sum.golang.org:443
index.crates.io:443
static.rust-lang.org:443
packagist.org:443
repo.maven.apache.org:443
golang.org:443
pkg.go.dev:443
dl.google.com:443
rubygems.org:443
registry.terraform.io:443
formulae.brew.sh:443
repo.yarnpkg.com:443
ghcr.io:443
production.cloudflare.docker.com:80
production.cloudflare.docker.com:443
registry-1.docker.io:443
auth.docker.io:443
docker.io:443
quay.io:443
cdn.quay.io:443
docker-images-prod.s3.us-west-2.amazonaws.com:443
docker-images-prod.s3.us-east-1.amazonaws.com:443
docker-images-prod.s3.amazonaws.com:443
s3.amazonaws.com:443
s3.us-west-2.amazonaws.com:443
s3.us-east-1.amazonaws.com:443
osv-vulnerabilities.storage.googleapis.com:443
api.osv.dev:443
get.trivy.dev:443
aquasecurity.github.io:443
tuf-repo-cdn.sigstore.dev:443
oauth2.sigstore.dev:443
rekor.sigstore.dev:443
fulcio.sigstore.dev:443
api.sigstore.dev:443
- name: "π Checkout Repository Code"
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: "π‘οΈ Initialize CodeQL Engine"
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
# Sets up the CodeQL database for the specified technical stack (e.g., Python, Go).
languages: ${{ matrix.language }}
config-file: .github/codeql/codeql-config.yml
- name: "π Bootstrap Target Build"
uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
# Attempts to automatically compile the project to enable full-trace analysis.
- name: "π Perform Deep Security Analysis"
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
# Executes the semantic queries and generates the final vulnerability report.
category: "/language:${{ matrix.language }}"