Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable CodeQL scan for GitHub Actions #1821

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

Enable CodeQL scan for GitHub Actions #1821

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
0c57457
Enable CodeQL scan for GitHub Actions
ericcornelissen Dec 17, 2024
f9075fa
Bump CodeQL Action to the latest version
ericcornelissen Dec 17, 2024
700e378
Disable config to see if that works for scanning actions
ericcornelissen Dec 17, 2024
1c2a90a
very ugly but at least we can test it
ericcornelissen Dec 18, 2024
048ce29
Merge branch 'main' into try-codeql-actions
ericcornelissen Dec 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 11 additions & 5 deletions .github/workflows/checks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,14 @@ jobs:
env:
WHAT: ${{ matrix.what }}
codeql:
name: CodeQL
name: CodeQL (${{ matrix.what }})
runs-on: ubuntu-24.04
strategy:
fail-fast: false
matrix:
what:
- javascript
- actions
permissions:
security-events: write # To upload CodeQL results
steps:
Expand All @@ -83,12 +89,12 @@ jobs:
with:
persist-credentials: false
- name: Initialize CodeQL
uses: github/codeql-action/init@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9
uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
with:
config-file: ./.github/codeql.yml
languages: javascript
# config-file: ./.github/codeql.yml
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This job currently fails if this line is enabled because the configuration is not valid if matrix.what == 'actions', but we want the configuration for matrix.what == 'javascript'...

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason for this is this line:

shescape/.github/codeql.yml

Line 6 in 7b57255

- uses: security-extended

which it complained about here.

This has been reported at github/codeql-action#2658

languages: ${{ matrix.what }}
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9
uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
odgen:
name: ODGen
runs-on: ubuntu-24.04
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/semgrep.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
env:
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
- name: Upload Semgrep report to GitHub
uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9
uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
if: ${{ failure() || success() }}
with:
sarif_file: semgrep.sarif