Limit CodeQL checks to main branch on push #4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # For most projects, this workflow file will not need changing; you simply need | |
| # to commit it to your repository. | |
| # | |
| # You may wish to alter this file to override the set of languages analyzed, | |
| # or to provide custom queries or build logic. | |
| # | |
| name: "WarMatrix Security Suite" | |
| on: | |
| push: | |
| branches: [ "main"] | |
| pull_request: | |
| branches: [ "**" ] # Checks absolutely every PR from any branch before it can merge | |
| schedule: | |
| - cron: '0 0 * * 0' # Executes every Sunday at midnight UTC | |
| jobs: | |
| # Job 1: Deep Semantic Analysis of your source code | |
| analyze: | |
| name: CodeQL Analysis (${{ matrix.language }}) | |
| runs-on: 'ubuntu-latest' | |
| permissions: | |
| security-events: write # Required to upload security results | |
| packages: read # Required to fetch internal or private CodeQL packs | |
| actions: read # Required for private repositories | |
| contents: read # Required to checkout repository code | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - language: javascript-typescript | |
| build-mode: none | |
| - language: python | |
| build-mode: none | |
| # CodeQL supports: 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| # Initializes the CodeQL tools for scanning. | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| # Prefix the list here with "+" to use these queries alongside default ones. | |
| # queries: +security-extended,security-and-quality | |
| # If the analyze step fails for a compiled language, modify the matrix above | |
| # to set the build mode to "manual" and replace the echo commands below. | |
| - name: Run manual build steps | |
| if: matrix.build-mode == 'manual' | |
| shell: bash | |
| run: | | |
| echo 'Replace this with the commands to build your code if a manual build is required.' | |
| exit 1 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: "/language:${{matrix.language}}" | |
| # Job 2: Fast Dependency (SCA) and Infrastructure-as-Code (IaC) Scan | |
| supply-chain: | |
| name: Trivy Security Scan | |
| runs-on: 'ubuntu-latest' | |
| permissions: | |
| security-events: write # Allows Trivy to publish findings to your GitHub Security tab | |
| contents: read # Required to read repository files | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Run Trivy Vulnerability Scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' # Scans the entire file system of the repo | |
| security-checks: 'vuln,config' # 'vuln' catches bad dependencies, 'config' catches Docker/IaC flaws | |
| format: 'sarif' # Generates a standard format GitHub understands | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL,HIGH' # Filters out low-priority noise | |
| - name: Upload Trivy results to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v4 | |
| if: always() # Ensures results get uploaded even if flaws are found | |
| with: | |
| sarif_file: 'trivy-results.sarif' |