actions/codeql-analysis/action.yml

---
# permissions:
#   - security-events: write  # Required for uploading SARIF results
#   - contents: read          # Required for checking out repository
name: CodeQL Analysis
description: Run CodeQL security analysis for a single language with configurable query suites
author: Ismo Vuorinen

branding:
  icon: shield
  color: blue

inputs:
  language:
    description: 'Language to analyze (javascript, python, actions, java, csharp, cpp, ruby, go, etc.)'
    required: true

  queries:
    description: 'Comma-separated list of additional queries to run'
    required: false
    default: ''

  packs:
    description: 'Comma-separated list of CodeQL query packs to run'
    required: false
    default: ''

  config-file:
    description: 'Path to CodeQL configuration file'
    required: false
    default: ''

  config:
    description: 'Configuration passed as a YAML string'
    required: false
    default: ''

  build-mode:
    description: 'The build mode for compiled languages (none, manual, autobuild)'
    required: false
    default: ''

  source-root:
    description: 'Path of the root source code directory'
    required: false
    default: ''

  category:
    description: 'Analysis category (default: /language:<language>)'
    required: false
    default: ''

  checkout-ref:
    description: 'Git reference to checkout (default: current ref)'
    required: false
    default: ''

  token:
    description: 'GitHub token for API access'
    required: false
    default: ${{ github.token }}

  working-directory:
    description: 'Working directory for the analysis'
    required: false
    default: '.'

  upload-results:
    description: 'Upload results to GitHub Security tab'
    required: false
    default: 'true'

  ram:
    description: 'Amount of memory in MB that can be used by CodeQL'
    required: false
    default: ''

  threads:
    description: 'Number of threads that can be used by CodeQL'
    required: false
    default: ''

  output:
    description: 'Path to save SARIF results'
    required: false
    default: '../results'

  skip-queries:
    description: 'Build database but skip running queries'
    required: false
    default: 'false'

outputs:
  language-analyzed:
    description: 'Language that was analyzed'
    value: ${{ inputs.language }}

  analysis-category:
    description: 'Category used for the analysis'
    value: ${{ steps.set-category.outputs.category }}

  sarif-file:
    description: 'Path to generated SARIF file'
    value: ${{ steps.analysis.outputs.sarif-file }}

runs:
  using: composite
  steps:
    - name: Validate inputs
      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
      with:
        action-type: codeql-analysis
        language: ${{ inputs.language }}
        queries: ${{ inputs.queries }}
        packs: ${{ inputs.packs }}
        config-file: ${{ inputs.config-file }}
        config: ${{ inputs.config }}
        build-mode: ${{ inputs.build-mode }}
        source-root: ${{ inputs.source-root }}
        category: ${{ inputs.category }}
        checkout-ref: ${{ inputs.checkout-ref }}
        token: ${{ inputs.token }}
        working-directory: ${{ inputs.working-directory }}
        upload-results: ${{ inputs.upload-results }}
        ram: ${{ inputs.ram }}
        threads: ${{ inputs.threads }}
        output: ${{ inputs.output }}
        skip-queries: ${{ inputs.skip-queries }}

    - name: Validate checkout safety
      shell: sh
      env:
        CHECKOUT_REF: ${{ inputs.checkout-ref }}
        EVENT_NAME: ${{ github.event_name }}
      run: |
        set -eu
        # Security check: Warn if checking out custom ref on pull_request_target
        if [ "$EVENT_NAME" = "pull_request_target" ] && [ -n "$CHECKOUT_REF" ]; then
          echo "::warning::Using custom checkout-ref on pull_request_target is potentially unsafe"
          echo "::warning::Ensure the ref is validated before running untrusted code"
        fi

    - name: Checkout repository
      uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
      with:
        ref: ${{ inputs.checkout-ref || github.sha }}
        token: ${{ inputs.token }}

    - name: Set analysis category
      id: set-category
      shell: sh
      env:
        CATEGORY: ${{ inputs.category }}
        LANGUAGE: ${{ inputs.language }}
      run: |
        set -eu
        if [ -n "$CATEGORY" ]; then
          category="$CATEGORY"
        else
          category="/language:$LANGUAGE"
        fi
        echo "category=$category" >> "$GITHUB_OUTPUT"
        echo "Using analysis category: $category"

    - name: Set build mode
      id: set-build-mode
      shell: sh
      env:
        BUILD_MODE: ${{ inputs.build-mode }}
        LANGUAGE: ${{ inputs.language }}
      run: |
        set -eu
        build_mode="$BUILD_MODE"
        if [ -z "$build_mode" ]; then
          # Auto-detect build mode based on language
          case "$LANGUAGE" in
            javascript|python|ruby|actions)
              build_mode="none"
              ;;
            java|csharp|cpp|c|go|swift|kotlin)
              build_mode="autobuild"
              ;;
          esac
        fi
        echo "build-mode=$build_mode" >> "$GITHUB_OUTPUT"
        echo "Using build mode: $build_mode"

    - name: Initialize CodeQL
      uses: github/codeql-action/init@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
      with:
        languages: ${{ inputs.language }}
        queries: ${{ inputs.queries }}
        packs: ${{ inputs.packs }}
        config-file: ${{ inputs.config-file }}
        config: ${{ inputs.config }}
        build-mode: ${{ steps.set-build-mode.outputs.build-mode }}
        source-root: ${{ inputs.source-root || inputs.working-directory }}
        ram: ${{ inputs.ram }}
        threads: ${{ inputs.threads }}

    - name: Autobuild
      uses: github/codeql-action/autobuild@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
      if: ${{ steps.set-build-mode.outputs.build-mode == 'autobuild' }}

    - name: Perform CodeQL Analysis
      id: analysis
      uses: github/codeql-action/analyze@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
      with:
        category: ${{ steps.set-category.outputs.category }}
        upload: ${{ inputs.upload-results }}
        output: ${{ inputs.output }}
        ram: ${{ inputs.ram }}
        threads: ${{ inputs.threads }}
        skip-queries: ${{ inputs.skip-queries }}

    - name: Summary
      shell: sh
      env:
        LANGUAGE: ${{ inputs.language }}
        CATEGORY: ${{ steps.set-category.outputs.category }}
        BUILD_MODE: ${{ steps.set-build-mode.outputs.build-mode }}
        QUERIES: ${{ inputs.queries }}
        PACKS: ${{ inputs.packs }}
        UPLOAD_RESULTS: ${{ inputs.upload-results }}
        OUTPUT: ${{ inputs.output }}
      run: |
        set -eu
        echo "✅ CodeQL analysis completed for language: $LANGUAGE"
        echo "📊 Category: $CATEGORY"
        echo "🏗️ Build mode: $BUILD_MODE"
        echo "🔍 Queries: ${QUERIES:-default}"
        echo "📦 Packs: ${PACKS:-none}"
        if [ "$UPLOAD_RESULTS" = "true" ]; then
          echo "📤 Results uploaded to GitHub Security tab"
        fi
        if [ -n "$OUTPUT" ]; then
          echo "💾 SARIF saved to: $OUTPUT"
        fi