Clean up comments in codeql.yml #7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "WarMatrix Security Suite" | |
| on: | |
| push: | |
| branches: [ "main"] | |
| pull_request: | |
| branches: [ "**" ] # Checks absolutely every PR from any branch before it can merge | |
| schedule: | |
| - cron: '0 0 * * 0' # Executes every Sunday at midnight UTC | |
| jobs: | |
| # Job 1: Deep Semantic Analysis of your source code | |
| analyze: | |
| name: CodeQL Analysis (${{ matrix.language }}) | |
| runs-on: 'ubuntu-latest' | |
| permissions: | |
| security-events: write # Required to upload security results | |
| packages: read # Required to fetch internal or private CodeQL packs | |
| actions: read # Required for private repositories | |
| contents: read # Required to checkout repository code | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - language: javascript-typescript | |
| build-mode: none | |
| - language: python | |
| build-mode: none | |
| # CodeQL supports: 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| # Initializes the CodeQL tools for scanning. | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| # Prefix the list here with "+" to use these queries alongside default ones. | |
| # queries: +security-extended,security-and-quality | |
| # If the analyze step fails for a compiled language, modify the matrix above | |
| # to set the build mode to "manual" and replace the echo commands below. | |
| - name: Run manual build steps | |
| if: matrix.build-mode == 'manual' | |
| shell: bash | |
| run: | | |
| echo 'Replace this with the commands to build your code if a manual build is required.' | |
| exit 1 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: "/language:${{matrix.language}}" | |
| # Job 2: Fast Dependency (SCA) and Infrastructure-as-Code (IaC) Scan | |
| supply-chain: | |
| name: Trivy Security Scan | |
| runs-on: 'ubuntu-latest' | |
| permissions: | |
| security-events: write # Allows Trivy to publish findings to your GitHub Security tab | |
| contents: read # Required to read repository files | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Run Trivy Vulnerability Scanner | |
| uses: aquasecurity/trivy-action@v0.36.0 # Pinned to a stable release version | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' # Explicitly targets the repo root directory | |
| scanners: 'vuln,config' # Replaced 'security-checks' with the valid 'scanners' input | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Upload Trivy results to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v4 | |
| if: always() # Ensures results get uploaded even if flaws are found | |
| with: | |
| sarif_file: 'trivy-results.sarif' |