-
Notifications
You must be signed in to change notification settings - Fork 2
chore: Add CodeQL scanning #50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,106 @@ | ||||||||||||||||||||||||
| # For most projects, this workflow file will not need changing; you simply need | ||||||||||||||||||||||||
| # to commit it to your repository. | ||||||||||||||||||||||||
| # | ||||||||||||||||||||||||
| # You may wish to alter this file to override the set of languages analyzed, | ||||||||||||||||||||||||
| # or to provide custom queries or build logic. | ||||||||||||||||||||||||
| # | ||||||||||||||||||||||||
| # ******** NOTE ******** | ||||||||||||||||||||||||
| # We have attempted to detect the languages in your repository. Please check | ||||||||||||||||||||||||
| # the `language` matrix defined below to confirm you have the correct set of | ||||||||||||||||||||||||
| # supported CodeQL languages. | ||||||||||||||||||||||||
| # | ||||||||||||||||||||||||
| name: "CodeQL Advanced" | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| on: | ||||||||||||||||||||||||
| push: | ||||||||||||||||||||||||
| branches: [ "main" ] | ||||||||||||||||||||||||
| pull_request: | ||||||||||||||||||||||||
| branches: [ "main" ] | ||||||||||||||||||||||||
| schedule: | ||||||||||||||||||||||||
| - cron: '44 8 * * 5' | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| jobs: | ||||||||||||||||||||||||
| analyze: | ||||||||||||||||||||||||
| name: Analyze (${{ matrix.language }}) | ||||||||||||||||||||||||
| # Runner size impacts CodeQL analysis time. To learn more, please see: | ||||||||||||||||||||||||
| # - https://gh.io/recommended-hardware-resources-for-running-codeql | ||||||||||||||||||||||||
| # - https://gh.io/supported-runners-and-hardware-resources | ||||||||||||||||||||||||
| # - https://gh.io/using-larger-runners (GitHub.com only) | ||||||||||||||||||||||||
| # Consider using larger runners or machines with greater resources for possible analysis time improvements. | ||||||||||||||||||||||||
| runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} | ||||||||||||||||||||||||
| permissions: | ||||||||||||||||||||||||
| # required for all workflows | ||||||||||||||||||||||||
| security-events: write | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| # required to fetch internal or private CodeQL packs | ||||||||||||||||||||||||
| packages: read | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| # only required for workflows in private repositories | ||||||||||||||||||||||||
| actions: read | ||||||||||||||||||||||||
| contents: read | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| strategy: | ||||||||||||||||||||||||
| fail-fast: false | ||||||||||||||||||||||||
| matrix: | ||||||||||||||||||||||||
| include: | ||||||||||||||||||||||||
| - language: actions | ||||||||||||||||||||||||
| build-mode: none | ||||||||||||||||||||||||
| - language: csharp | ||||||||||||||||||||||||
| build-mode: none | ||||||||||||||||||||||||
| - language: java-kotlin | ||||||||||||||||||||||||
|
Comment on lines
+52
to
+56
|
||||||||||||||||||||||||
| - language: actions | |
| build-mode: none | |
| - language: csharp | |
| build-mode: none | |
| - language: java-kotlin | |
| - language: csharp | |
| build-mode: none | |
| - language: java-kotlin | |
| build-mode: none | |
| - language: java-kotlin |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔴 High: Code Vulnerability
Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Copilot
AI
Jul 10, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The manual build mode section always exits with code 1, which will cause the workflow to fail if any language is configured with 'manual' build mode. Consider providing actual build commands or removing languages that require manual building.
| echo 'If you are using a "manual" build mode for one or more of the' \ | |
| 'languages you are analyzing, replace this with the commands to build' \ | |
| 'your code, for example:' | |
| echo ' make bootstrap' | |
| echo ' make release' | |
| exit 1 | |
| echo 'Building the code in manual build mode...' | |
| # Replace the following commands with your actual build steps. | |
| make bootstrap | |
| make release | |
| echo 'Build completed successfully.' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔴 High: Code Vulnerability
Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔴 High: Code Vulnerability
No explicit permissions set for at the workflow level (...read more)
Default permissions for the
GITHUB_TOKENare expected to be restricted (contents:read,metadata:read, andpackages:read).Your repository may require a different setup, so consider defining permissions for each job following the least privilege principle to restrict the impact of a possible compromise.
You can find the list of all possible permissions in Workflow syntax for GitHub Actions - GitHub Docs. They can be defined at the job or the workflow level.