--- # permissions: # - security-events: write # Required for uploading SARIF results # - contents: read # Required for checking out repository name: CodeQL Analysis description: Run CodeQL security analysis for a single language with configurable query suites author: Ismo Vuorinen branding: icon: shield color: blue inputs: language: description: 'Language to analyze (javascript, python, actions, java, csharp, cpp, ruby, go, etc.)' required: true queries: description: 'Comma-separated list of additional queries to run' required: false default: '' packs: description: 'Comma-separated list of CodeQL query packs to run' required: false default: '' config-file: description: 'Path to CodeQL configuration file' required: false default: '' config: description: 'Configuration passed as a YAML string' required: false default: '' build-mode: description: 'The build mode for compiled languages (none, manual, autobuild)' required: false default: '' source-root: description: 'Path of the root source code directory' required: false default: '' category: description: 'Analysis category (default: /language:)' required: false default: '' checkout-ref: description: 'Git reference to checkout (default: current ref)' required: false default: '' token: description: 'GitHub token for API access' required: false default: ${{ github.token }} working-directory: description: 'Working directory for the analysis' required: false default: '.' upload-results: description: 'Upload results to GitHub Security tab' required: false default: 'true' ram: description: 'Amount of memory in MB that can be used by CodeQL' required: false default: '' threads: description: 'Number of threads that can be used by CodeQL' required: false default: '' output: description: 'Path to save SARIF results' required: false default: '../results' skip-queries: description: 'Build database but skip running queries' required: false default: 'false' outputs: language-analyzed: description: 'Language that was analyzed' value: ${{ inputs.language }} analysis-category: description: 'Category used for the analysis' value: ${{ steps.set-category.outputs.category }} sarif-file: description: 'Path to generated SARIF file' value: ${{ steps.analysis.outputs.sarif-file }} runs: using: composite steps: - name: Validate inputs uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb with: action-type: codeql-analysis language: ${{ inputs.language }} queries: ${{ inputs.queries }} packs: ${{ inputs.packs }} config-file: ${{ inputs.config-file }} config: ${{ inputs.config }} build-mode: ${{ inputs.build-mode }} source-root: ${{ inputs.source-root }} category: ${{ inputs.category }} checkout-ref: ${{ inputs.checkout-ref }} token: ${{ inputs.token }} working-directory: ${{ inputs.working-directory }} upload-results: ${{ inputs.upload-results }} ram: ${{ inputs.ram }} threads: ${{ inputs.threads }} output: ${{ inputs.output }} skip-queries: ${{ inputs.skip-queries }} - name: Validate checkout safety shell: sh env: CHECKOUT_REF: ${{ inputs.checkout-ref }} EVENT_NAME: ${{ github.event_name }} run: | set -eu # Security check: Warn if checking out custom ref on pull_request_target if [ "$EVENT_NAME" = "pull_request_target" ] && [ -n "$CHECKOUT_REF" ]; then echo "::warning::Using custom checkout-ref on pull_request_target is potentially unsafe" echo "::warning::Ensure the ref is validated before running untrusted code" fi - name: Checkout repository uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta with: ref: ${{ inputs.checkout-ref || github.sha }} token: ${{ inputs.token }} - name: Set analysis category id: set-category shell: sh env: CATEGORY: ${{ inputs.category }} LANGUAGE: ${{ inputs.language }} run: | set -eu if [ -n "$CATEGORY" ]; then category="$CATEGORY" else category="/language:$LANGUAGE" fi echo "category=$category" >> "$GITHUB_OUTPUT" echo "Using analysis category: $category" - name: Set build mode id: set-build-mode shell: sh env: BUILD_MODE: ${{ inputs.build-mode }} LANGUAGE: ${{ inputs.language }} run: | set -eu build_mode="$BUILD_MODE" if [ -z "$build_mode" ]; then # Auto-detect build mode based on language case "$LANGUAGE" in javascript|python|ruby|actions) build_mode="none" ;; java|csharp|cpp|c|go|swift|kotlin) build_mode="autobuild" ;; esac fi echo "build-mode=$build_mode" >> "$GITHUB_OUTPUT" echo "Using build mode: $build_mode" - name: Initialize CodeQL uses: github/codeql-action/init@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 with: languages: ${{ inputs.language }} queries: ${{ inputs.queries }} packs: ${{ inputs.packs }} config-file: ${{ inputs.config-file }} config: ${{ inputs.config }} build-mode: ${{ steps.set-build-mode.outputs.build-mode }} source-root: ${{ inputs.source-root || inputs.working-directory }} ram: ${{ inputs.ram }} threads: ${{ inputs.threads }} - name: Autobuild uses: github/codeql-action/autobuild@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 if: ${{ steps.set-build-mode.outputs.build-mode == 'autobuild' }} - name: Perform CodeQL Analysis id: analysis uses: github/codeql-action/analyze@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 with: category: ${{ steps.set-category.outputs.category }} upload: ${{ inputs.upload-results }} output: ${{ inputs.output }} ram: ${{ inputs.ram }} threads: ${{ inputs.threads }} skip-queries: ${{ inputs.skip-queries }} - name: Summary shell: sh env: LANGUAGE: ${{ inputs.language }} CATEGORY: ${{ steps.set-category.outputs.category }} BUILD_MODE: ${{ steps.set-build-mode.outputs.build-mode }} QUERIES: ${{ inputs.queries }} PACKS: ${{ inputs.packs }} UPLOAD_RESULTS: ${{ inputs.upload-results }} OUTPUT: ${{ inputs.output }} run: | set -eu echo "✅ CodeQL analysis completed for language: $LANGUAGE" echo "📊 Category: $CATEGORY" echo "🏗️ Build mode: $BUILD_MODE" echo "🔍 Queries: ${QUERIES:-default}" echo "📦 Packs: ${PACKS:-none}" if [ "$UPLOAD_RESULTS" = "true" ]; then echo "📤 Results uploaded to GitHub Security tab" fi if [ -n "$OUTPUT" ]; then echo "💾 SARIF saved to: $OUTPUT" fi