-
Notifications
You must be signed in to change notification settings - Fork 0
99 lines (90 loc) · 3.04 KB
/
Copy pathsecurity-codeql.yml
File metadata and controls
99 lines (90 loc) · 3.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
name: Security - CodeQL
on:
push:
branches: [ develop ]
# Skip docs-only changes — CodeQL has nothing to analyse there
# and a typo fix shouldn't wait 8 minutes for a security scan.
# The weekly schedule still picks up newly-published advisories
# against unchanged code, so we don't lose coverage.
paths-ignore:
- 'docs/**'
- 'dev-docs/**'
- '**/*.md'
- 'LICENSE'
- 'NOTICE'
- 'TRADEMARK.md'
- '.gitignore'
- '.gitattributes'
pull_request:
branches: [ develop ]
paths-ignore:
- 'docs/**'
- 'dev-docs/**'
- '**/*.md'
- 'LICENSE'
- 'NOTICE'
- 'TRADEMARK.md'
- '.gitignore'
- '.gitattributes'
schedule:
# Weekly Sunday 03:14 UTC — picks up newly-published advisories that
# match unchanged code.
- cron: '14 3 * * 0'
jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
actions: read
strategy:
fail-fast: false
matrix:
include:
- language: csharp
build-mode: manual
- language: javascript-typescript
build-mode: none
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
# security-extended pulls in the broader security query suite
# (covers more taint sinks than the default). security-and-quality
# is even broader but adds non-security findings — we have
# NetAnalyzers + SecurityCodeScan for that.
queries: security-extended
# Result-level query filters (e.g. the cs/log-forging structured-
# logging false-positive exclusion). See the file for rationale.
config-file: ./.github/codeql/codeql-config.yml
- name: Setup .NET
if: matrix.language == 'csharp'
uses: actions/setup-dotnet@v5
with:
dotnet-version: 10.0.x
- name: Build C# (manual mode for CodeQL)
if: matrix.language == 'csharp'
run: dotnet build Modgud.slnx -c Release
working-directory: ./src/dotnet
# Uploads SARIF to GitHub Code Scanning (Security tab) — works
# because the repo is public; code-scanning upload is free on
# public repos, no GitHub Advanced Security licence needed.
# We also write SARIF to `output:` and re-upload as a workflow
# artifact for local viewing in VS Code (CodeQL / SARIF Viewer).
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@v4
with:
category: /language:${{ matrix.language }}
output: codeql-results
- name: Upload SARIF as workflow artifact
if: always()
uses: actions/upload-artifact@v7
with:
name: codeql-sarif-${{ matrix.language }}
path: codeql-results
retention-days: 30