-
Notifications
You must be signed in to change notification settings - Fork 4
86 lines (75 loc) · 3.05 KB
/
Copy pathcodeql.yml
File metadata and controls
86 lines (75 loc) · 3.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
name: "WarMatrix Security Suite"
on:
push:
branches: [ "main"]
pull_request:
branches: [ "**" ] # Checks absolutely every PR from any branch before it can merge
schedule:
- cron: '0 0 * * 0'
workflow_dispatch:
jobs:
# Job 1: Deep Semantic Analysis of your source code
analyze:
name: CodeQL Analysis (${{ matrix.language }})
runs-on: 'ubuntu-latest'
permissions:
security-events: write # Required to upload security results
packages: read # Required to fetch internal or private CodeQL packs
actions: read # Required for private repositories
contents: read # Required to checkout repository code
strategy:
fail-fast: false
matrix:
include:
- language: javascript-typescript
build-mode: none
- language: python
build-mode: none
# CodeQL supports: 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift'
steps:
- name: Checkout repository
uses: actions/checkout@v4
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
# Prefix the list here with "+" to use these queries alongside default ones.
# queries: +security-extended,security-and-quality
# If the analyze step fails for a compiled language, modify the matrix above
# to set the build mode to "manual" and replace the echo commands below.
- name: Run manual build steps
if: matrix.build-mode == 'manual'
shell: bash
run: |
echo 'Replace this with the commands to build your code if a manual build is required.'
exit 1
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: "/language:${{matrix.language}}"
# Job 2: Fast Dependency (SCA) and Infrastructure-as-Code (IaC) Scan
supply-chain:
name: Trivy Security Scan
runs-on: 'ubuntu-latest'
permissions:
security-events: write # Allows Trivy to publish findings to your GitHub Security tab
contents: read # Required to read repository files
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Run Trivy Vulnerability Scanner
uses: aquasecurity/trivy-action@v0.36.0 # Pinned to a stable release version
with:
scan-type: 'fs'
scan-ref: '.' # Explicitly targets the repo root directory
scanners: 'vuln,config' # Replaced 'security-checks' with the valid 'scanners' input
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy results to GitHub Security
uses: github/codeql-action/upload-sarif@v4
if: always() # Ensures results get uploaded even if flaws are found
with:
sarif_file: 'trivy-results.sarif'