mirror of
https://github.com/ivuorinen/actions.git
synced 2026-01-26 11:34:00 +00:00
Ismo Vuorinen
44a11e9773
* chore: update actions, cleanup pr-lint * chore: cleanup pre-commit config, formatting * chore: revert sigstore/cosign-installer downgrade * chore: formatting
239 lines
7.1 KiB
YAML
239 lines
7.1 KiB
YAML
---
|
|
# permissions:
|
|
# - security-events: write # Required for uploading SARIF results
|
|
# - contents: read # Required for checking out repository
|
|
name: CodeQL Analysis
|
|
description: Run CodeQL security analysis for a single language with configurable query suites
|
|
author: Ismo Vuorinen
|
|
|
|
branding:
|
|
icon: shield
|
|
color: blue
|
|
|
|
inputs:
|
|
language:
|
|
description: 'Language to analyze (javascript, python, actions, java, csharp, cpp, ruby, go, etc.)'
|
|
required: true
|
|
|
|
queries:
|
|
description: 'Comma-separated list of additional queries to run'
|
|
required: false
|
|
default: ''
|
|
|
|
packs:
|
|
description: 'Comma-separated list of CodeQL query packs to run'
|
|
required: false
|
|
default: ''
|
|
|
|
config-file:
|
|
description: 'Path to CodeQL configuration file'
|
|
required: false
|
|
default: ''
|
|
|
|
config:
|
|
description: 'Configuration passed as a YAML string'
|
|
required: false
|
|
default: ''
|
|
|
|
build-mode:
|
|
description: 'The build mode for compiled languages (none, manual, autobuild)'
|
|
required: false
|
|
default: ''
|
|
|
|
source-root:
|
|
description: 'Path of the root source code directory'
|
|
required: false
|
|
default: ''
|
|
|
|
category:
|
|
description: 'Analysis category (default: /language:<language>)'
|
|
required: false
|
|
default: ''
|
|
|
|
checkout-ref:
|
|
description: 'Git reference to checkout (default: current ref)'
|
|
required: false
|
|
default: ''
|
|
|
|
token:
|
|
description: 'GitHub token for API access'
|
|
required: false
|
|
default: ${{ github.token }}
|
|
|
|
working-directory:
|
|
description: 'Working directory for the analysis'
|
|
required: false
|
|
default: '.'
|
|
|
|
upload-results:
|
|
description: 'Upload results to GitHub Security tab'
|
|
required: false
|
|
default: 'true'
|
|
|
|
ram:
|
|
description: 'Amount of memory in MB that can be used by CodeQL'
|
|
required: false
|
|
default: ''
|
|
|
|
threads:
|
|
description: 'Number of threads that can be used by CodeQL'
|
|
required: false
|
|
default: ''
|
|
|
|
output:
|
|
description: 'Path to save SARIF results'
|
|
required: false
|
|
default: '../results'
|
|
|
|
skip-queries:
|
|
description: 'Build database but skip running queries'
|
|
required: false
|
|
default: 'false'
|
|
|
|
outputs:
|
|
language-analyzed:
|
|
description: 'Language that was analyzed'
|
|
value: ${{ inputs.language }}
|
|
|
|
analysis-category:
|
|
description: 'Category used for the analysis'
|
|
value: ${{ steps.set-category.outputs.category }}
|
|
|
|
sarif-file:
|
|
description: 'Path to generated SARIF file'
|
|
value: ${{ steps.analysis.outputs.sarif-file }}
|
|
|
|
runs:
|
|
using: composite
|
|
steps:
|
|
- name: Validate inputs
|
|
uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
|
|
with:
|
|
action-type: codeql-analysis
|
|
language: ${{ inputs.language }}
|
|
queries: ${{ inputs.queries }}
|
|
packs: ${{ inputs.packs }}
|
|
config-file: ${{ inputs.config-file }}
|
|
config: ${{ inputs.config }}
|
|
build-mode: ${{ inputs.build-mode }}
|
|
source-root: ${{ inputs.source-root }}
|
|
category: ${{ inputs.category }}
|
|
checkout-ref: ${{ inputs.checkout-ref }}
|
|
token: ${{ inputs.token }}
|
|
working-directory: ${{ inputs.working-directory }}
|
|
upload-results: ${{ inputs.upload-results }}
|
|
ram: ${{ inputs.ram }}
|
|
threads: ${{ inputs.threads }}
|
|
output: ${{ inputs.output }}
|
|
skip-queries: ${{ inputs.skip-queries }}
|
|
|
|
- name: Validate checkout safety
|
|
shell: sh
|
|
env:
|
|
CHECKOUT_REF: ${{ inputs.checkout-ref }}
|
|
EVENT_NAME: ${{ github.event_name }}
|
|
run: |
|
|
set -eu
|
|
# Security check: Warn if checking out custom ref on pull_request_target
|
|
if [ "$EVENT_NAME" = "pull_request_target" ] && [ -n "$CHECKOUT_REF" ]; then
|
|
echo "::warning::Using custom checkout-ref on pull_request_target is potentially unsafe"
|
|
echo "::warning::Ensure the ref is validated before running untrusted code"
|
|
fi
|
|
|
|
- name: Checkout repository
|
|
uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
|
|
with:
|
|
ref: ${{ inputs.checkout-ref || github.sha }}
|
|
token: ${{ inputs.token }}
|
|
|
|
- name: Set analysis category
|
|
id: set-category
|
|
shell: sh
|
|
env:
|
|
CATEGORY: ${{ inputs.category }}
|
|
LANGUAGE: ${{ inputs.language }}
|
|
run: |
|
|
set -eu
|
|
if [ -n "$CATEGORY" ]; then
|
|
category="$CATEGORY"
|
|
else
|
|
category="/language:$LANGUAGE"
|
|
fi
|
|
echo "category=$category" >> "$GITHUB_OUTPUT"
|
|
echo "Using analysis category: $category"
|
|
|
|
- name: Set build mode
|
|
id: set-build-mode
|
|
shell: sh
|
|
env:
|
|
BUILD_MODE: ${{ inputs.build-mode }}
|
|
LANGUAGE: ${{ inputs.language }}
|
|
run: |
|
|
set -eu
|
|
build_mode="$BUILD_MODE"
|
|
if [ -z "$build_mode" ]; then
|
|
# Auto-detect build mode based on language
|
|
case "$LANGUAGE" in
|
|
javascript|python|ruby|actions)
|
|
build_mode="none"
|
|
;;
|
|
java|csharp|cpp|c|go|swift|kotlin)
|
|
build_mode="autobuild"
|
|
;;
|
|
esac
|
|
fi
|
|
echo "build-mode=$build_mode" >> "$GITHUB_OUTPUT"
|
|
echo "Using build mode: $build_mode"
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
|
|
with:
|
|
languages: ${{ inputs.language }}
|
|
queries: ${{ inputs.queries }}
|
|
packs: ${{ inputs.packs }}
|
|
config-file: ${{ inputs.config-file }}
|
|
config: ${{ inputs.config }}
|
|
build-mode: ${{ steps.set-build-mode.outputs.build-mode }}
|
|
source-root: ${{ inputs.source-root || inputs.working-directory }}
|
|
ram: ${{ inputs.ram }}
|
|
threads: ${{ inputs.threads }}
|
|
|
|
- name: Autobuild
|
|
uses: github/codeql-action/autobuild@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
|
|
if: ${{ steps.set-build-mode.outputs.build-mode == 'autobuild' }}
|
|
|
|
- name: Perform CodeQL Analysis
|
|
id: analysis
|
|
uses: github/codeql-action/analyze@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
|
|
with:
|
|
category: ${{ steps.set-category.outputs.category }}
|
|
upload: ${{ inputs.upload-results }}
|
|
output: ${{ inputs.output }}
|
|
ram: ${{ inputs.ram }}
|
|
threads: ${{ inputs.threads }}
|
|
skip-queries: ${{ inputs.skip-queries }}
|
|
|
|
- name: Summary
|
|
shell: sh
|
|
env:
|
|
LANGUAGE: ${{ inputs.language }}
|
|
CATEGORY: ${{ steps.set-category.outputs.category }}
|
|
BUILD_MODE: ${{ steps.set-build-mode.outputs.build-mode }}
|
|
QUERIES: ${{ inputs.queries }}
|
|
PACKS: ${{ inputs.packs }}
|
|
UPLOAD_RESULTS: ${{ inputs.upload-results }}
|
|
OUTPUT: ${{ inputs.output }}
|
|
run: |
|
|
set -eu
|
|
echo "✅ CodeQL analysis completed for language: $LANGUAGE"
|
|
echo "📊 Category: $CATEGORY"
|
|
echo "🏗️ Build mode: $BUILD_MODE"
|
|
echo "🔍 Queries: ${QUERIES:-default}"
|
|
echo "📦 Packs: ${PACKS:-none}"
|
|
if [ "$UPLOAD_RESULTS" = "true" ]; then
|
|
echo "📤 Results uploaded to GitHub Security tab"
|
|
fi
|
|
if [ -n "$OUTPUT" ]; then
|
|
echo "💾 SARIF saved to: $OUTPUT"
|
|
fi
|