-
Notifications
You must be signed in to change notification settings - Fork 0
173 lines (152 loc) · 6.28 KB
/
codeql.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
############################
# Author : H0llyW00dzZ #
############################
name: "CI: CodeQL Unit Testing Advanced"
on:
push:
# modify this branch
branches:
- master
paths-ignore:
- '**.md'
- '.github/workflows/**'
pull_request:
branches:
- master
paths-ignore:
- '**.md'
- '.github/workflows/**'
types: [opened, reopened, synchronize]
schedule:
- cron: '0 0 * * *'
# allows you to run this workflow manually
# Adding an `inputs` section to the `workflow_dispatch` event to define a new input parameter called `branch`
workflow_dispatch:
inputs:
branch:
description: 'Branch to scan'
required: true
default: 'master'
jobs:
analyze:
name: Analyze
runs-on: ${{ matrix.language == 'swift' && 'macos-latest' || 'ubuntu-latest' }}
timeout-minutes: ${{ matrix.language == 'swift' && 120 || 360 }}
permissions:
actions: read
contents: read
pull-requests: write
deployments: read
security-events: write
strategy:
fail-fast: false
matrix:
# this can be modified example if your repo is only python then remove 'javascript', 'go'
language: ['go']
steps:
- name: Checkout repository
uses: actions/checkout@v3
with:
ref: ${{ github.event.inputs.branch }}
- name: Detect repository language
id: detect-language
run: |
echo "languages=${{ matrix.language }}" >> $GITHUB_ENV
echo "fileExists=true" >> $GITHUB_ENV
- name: Set up Python
if: ${{ matrix.language == 'python' }}
uses: actions/setup-python@v4
with:
python-version: '3.x'
env:
NODE_VERSION: 18
- name: Install Python dependencies
if: ${{ matrix.language == 'python' && matrix.fileExists }}
run: python -m pip install --upgrade pip && pip install -r requirements.txt
# github need to fix this confusing alias javascript-typescript, because in the end are javascript LMAO
- name: Set up JavaScript/TypeScript
if: ${{ matrix.language == 'javascript' }}
uses: actions/setup-node@v4
with:
node-version: '18'
# note: this useless because in CodeQL about dependencies it's only for compiled language or python
- name: Install JavaScript/TypeScript dependencies
if: ${{ matrix.language == 'javascript' && matrix.fileExists }}
run: npm ci
# note: ignore that warning in `setup up go` because this repo are using standard library, so go.sum not really needed lol
- name: Set up Go
if: ${{ matrix.language == 'go' }}
uses: actions/setup-go@v4
with:
go-version: '1.21.5'
env:
NODE_VERSION: 18
- name: Install Go dependencies
if: ${{ matrix.language == 'go' && matrix.fileExists }}
run: go mod download
# Get CodeQL config from gist
- name: Get config from gist
run: |
mkdir -p .github/codeql
curl -o .github/codeql/codeql-config.yml https://gist.githubusercontent.com/H0llyW00dzZ/230f3422c3be901915f2802d3a3314b1/raw/dbdae057dfeabc6af42d5322c948f563dc8277a1/codeql-config.yml
- name: Initialize CodeQL
id: InitCodeQL
uses: github/codeql-action/init@v2
with:
# Configuration for init codeQL
languages: ${{ env.languages }}
config-file: ./.github/codeql/codeql-config.yml
# Attempt to automatically build code for compiled languages
# Currently only for Go, but more can be added later
- name: Attempt to automatically build code for ${{ matrix.language }}
if: ${{ matrix.language == 'go' }}
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL-Security Analysis
if: ${{ env.languages != '' }}
id: CodeQL
uses: github/codeql-action/analyze@v2
with:
# disable default upload because using multiple method
upload: false
# snippets for SARIF file
add-snippets: true
- name: Upload ${{ matrix.language }} SARIF for Analysis Result
if: ${{ matrix.language && env.languages != '' }}
id: upload-Analysis_Result-sarif
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ runner.workspace }}/results/${{ matrix.language }}.sarif
category: "Analysis Result: ${{ matrix.language }}"
# since it public everyone can see in artifact about Analysis Result
# just for incase you can disable this later by block #
- name: Encrypt Analysis Result
if: ${{ matrix.language && env.languages != '' }}
id: Encrypt_Analysis
run: |
curl -sSL "https://github.com/${{ github.repository_owner }}.gpg" -o keyfile
gpg --import keyfile
gpg --encrypt --recipient "$(gpg --list-keys --keyid-format LONG | grep '^pub' | awk '{print $2}' | awk -F'/' '{print $2}')" --trust-model always "${{ runner.workspace }}/results/${{ matrix.language }}.sarif"
- name: Upload Analysis Result As Artifact
uses: actions/upload-artifact@v3
with:
name: Analysis_Result (SARIF + Encrypted)
path: ${{ runner.workspace }}/results/${{ matrix.language }}.sarif.gpg
- name: Check CodeQL Unit Testing status
if: ${{github.event_name == 'pull_request' }}
id: check-status
run: |
if [ -f "${{ runner.workspace }}/results/${{ matrix.language }}.sarif.gpg" ]; then
echo "codeql_status=done" >> $GITHUB_STATE
echo "codeql_status=done" >> $GITHUB_OUTPUT
echo "pull_request_number=${{ github.event.pull_request.number }}" >> $GITHUB_STATE
echo "pull_request_number=${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT
else
echo "codeql_status=pending" >> $GITHUB_STATE
echo "codeql_status=pending" >> $GITHUB_OUTPUT
fi
- name: PR comment
if: ${{ steps.check-status.outputs.codeql_status == 'done' && github.event_name == 'pull_request' }}
uses: NejcZdovc/comment-pr@v2
with:
message: "CodeQL analysis is complete for PR #${{ steps.check-status.outputs.pull_request_number }}"
github_token: ${{ secrets.GITHUB_TOKEN }}