Add Actions as supported language (#53606)

Co-authored-by: mc <[email protected]> Co-authored-by: Sarita Iyer <[email protected]> Co-authored-by: Andrew Eisenberg <[email protected]>
ebfork · Dec 17, 2024 · bc02699 · bc02699
1 parent 0a02699
commit bc02699
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 3 deletions.
diff --git a/...ity-for-github-actions/security-guides/security-hardening-for-github-actions.md b/...ity-for-github-actions/security-guides/security-hardening-for-github-actions.md
@@ -224,7 +224,18 @@ The same principles described above for using third-party actions also apply to
 
 For more information on how to configure this setting, see {% ifversion ghes or ghec %}[AUTOTITLE](/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests),{% endif %} [Disabling or limiting {% data variables.product.prodname_actions %} for your organization](/github/setting-up-and-managing-organizations-and-teams/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests), and [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests).
 
-## Using OpenSSF Scorecards to secure workflows
+{% ifversion code-scanning-actions-language %}
+
+## Using {% data variables.product.prodname_code_scanning %} to secure workflows
+
+{% data reusables.code-scanning.beta-actions-analysis %}
+
+{% data variables.product.prodname_code_scanning_caps %} can automatically detect and suggest improvements for common vulnerable patterns used in {% data variables.product.prodname_actions %} workflows.
+For more information on how to enable {% data variables.product.prodname_code_scanning %}, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning).
+
+{% endif %}
+
+## Using OpenSSF Scorecards to secure workflow dependencies
 
 [Scorecards](https://github.com/ossf/scorecard) is an automated security tool that flags risky supply chain practices. You can use the [Scorecards action](https://github.com/marketplace/actions/ossf-scorecard-action) and [workflow template](https://github.com/actions/starter-workflows) to follow best security practices. Once configured, the Scorecards action runs automatically on repository changes, and alerts developers about risky supply chain practices using the built-in {% data variables.product.prodname_code_scanning %} experience. The Scorecards project runs a number of checks, including script injection attacks, token permissions, and pinned actions.
 

diff --git a/.../code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql.md b/.../code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql.md
@@ -49,6 +49,8 @@ For information about {% data variables.product.prodname_code_scanning %} alerts
 
 {% data reusables.code-scanning.codeql-languages-bullets %}
 
+{% data reusables.code-scanning.beta-actions-analysis %}
+
 {% ifversion fpt or ghec or ghes > 3.10 %}
 
 ## Modeling custom or niche frameworks

diff --git a/data/features/code-scanning-actions-language.yml b/data/features/code-scanning-actions-language.yml
@@ -0,0 +1,6 @@
+# Reference: #16135
+# Code scanning is able to analyze Actions workflows.
+# This feature is not yet available for GitHub Enterprise Server.
+versions:
+  fpt: '*'
+  ghec: '*'
diff --git a/data/reusables/code-scanning/beta-actions-analysis.md b/data/reusables/code-scanning/beta-actions-analysis.md
@@ -0,0 +1,6 @@
+{% ifversion code-scanning-actions-language %}
+
+> [!NOTE]
+> The ability to use {% data variables.product.prodname_code_scanning %} to find vulnerabilities in {% data variables.product.prodname_actions %} workflows is currently in {% data variables.release-phases.public_preview %} and subject to change.
+
+{% endif %}
diff --git a/data/reusables/code-scanning/codeql-language-identifiers-table.md b/data/reusables/code-scanning/codeql-language-identifiers-table.md
@@ -8,8 +8,13 @@
 | Java/Kotlin | `java-kotlin` | `java` or `kotlin` |
 | JavaScript/TypeScript | `javascript-typescript` | `javascript` or `typescript` |
 | Python | `python` |
-| Ruby | `ruby`
-| Swift | `swift`
+| Ruby | `ruby` |
+| Swift | `swift` |
+| {% ifversion code-scanning-actions-language %} |
+{% data variables.product.prodname_actions %} workflows | `actions`
+| {% endif %}
+
+{% data reusables.code-scanning.beta-actions-analysis %}
 
 > [!NOTE]
 > If you specify one of the alternative identifiers, this is equivalent to using the standard language identifier. For example, specifying `javascript` instead of `javascript-typescript` will not exclude analysis of TypeScript code. You can do this in an advanced setup workflow with the `--paths-ignore` option. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#specifying-directories-to-scan)."

diff --git a/data/reusables/code-scanning/codeql-languages-bullets.md b/data/reusables/code-scanning/codeql-languages-bullets.md
@@ -7,8 +7,10 @@
 * Python
 * Ruby
 * Swift
+{% ifversion code-scanning-actions-language %}* {% data variables.product.prodname_actions %} workflows{% endif %}
 
 > [!NOTE]
+>
 > * Use {% ifversion codeql-language-identifiers-311 %}`java-kotlin`{% else %}`java`{% endif %} to analyze code written in Java, Kotlin or both.
 > * Use {% ifversion codeql-language-identifiers-311 %}`javascript-typescript`{% else %}`javascript`{% endif %} to analyze code written in JavaScript, TypeScript or both.