Read and write checks to/from attestable data #739
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CodeQL | |
| on: | |
| push: | |
| branches: [main, sbp] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| # Run every Monday at 5:30 AM UTC | |
| - cron: '30 5 * * 1' | |
| jobs: | |
| analyze: | |
| name: Analyze | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| packages: read | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - language: python | |
| suppression_pack: +codeql/python-queries:AlertSuppression.ql | |
| - language: actions | |
| suppression_pack: "" | |
| - language: javascript-typescript | |
| suppression_pack: "" | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd | |
| with: | |
| persist-credentials: false | |
| - name: Start CodeQL | |
| uses: github/codeql-action/init@267c4672a565967e4531438f2498370de5e8a98d | |
| with: | |
| languages: ${{ matrix.language }} | |
| queries: security-extended | |
| packs: ${{ matrix.suppression_pack }} | |
| config-file: ./codeql-config.yml | |
| - name: Perform CodeQL analysis | |
| id: analyze | |
| uses: github/codeql-action/analyze@267c4672a565967e4531438f2498370de5e8a98d | |
| with: | |
| category: "/language:${{ matrix.language }}" | |
| output: sarif-results | |
| - name: Show SARIF suppressed result statistics | |
| id: sarif-stats | |
| run: | | |
| python - <<'PY' | |
| import json, os, pathlib | |
| sarif_dir = pathlib.Path("sarif-results") | |
| sarif_files = list(sarif_dir.glob("*.sarif")) | |
| if not sarif_files: | |
| print("No SARIF files found in sarif-results/") | |
| raise SystemExit(1) | |
| p = sarif_files[0] | |
| data = json.loads(p.read_text()) | |
| results = data["runs"][0].get("results", []) | |
| suppressed = [r for r in results if r.get("suppressions")] | |
| print(f"SARIF file: {p}") | |
| print(f"Total results: {len(results)}") | |
| print(f"Suppressed results: {len(suppressed)}") | |
| with open(os.environ["GITHUB_OUTPUT"], "a") as f: | |
| f.write(f"sarif-file={p}\n") | |
| PY | |
| - name: Dismiss alerts of suppressed results | |
| if: github.ref == 'refs/heads/main' | |
| uses: advanced-security/dismiss-alerts@046d6b48d2e43cf563f96f67332c47c432eff83e | |
| with: | |
| sarif-id: ${{ steps.analyze.outputs.sarif-id }} | |
| sarif-file: ${{ steps.sarif-stats.outputs.sarif-file }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |