|
18 | 18 | branches: [ "main" ] |
19 | 19 | schedule: |
20 | 20 | - cron: '34 20 * * 5' |
| 21 | + workflow_dispatch: |
| 22 | + inputs: |
| 23 | + test_email: |
| 24 | + description: 'Test email notification' |
| 25 | + required: false |
| 26 | + default: 'false' |
| 27 | + type: choice |
| 28 | + options: |
| 29 | + - 'false' |
| 30 | + - 'true' |
21 | 31 |
|
22 | 32 | jobs: |
23 | 33 | analyze: |
@@ -102,6 +112,68 @@ jobs: |
102 | 112 | with: |
103 | 113 | category: "/language:${{matrix.language}}" |
104 | 114 |
|
| 115 | + - name: Check for Security Issues |
| 116 | + id: check-security |
| 117 | + run: | |
| 118 | + # Check if SARIF results contain any security findings |
| 119 | + if [ -d "${{ github.workspace }}/.github/codeql-action/results" ]; then |
| 120 | + SARIF_FILES=$(find "${{ github.workspace }}/.github/codeql-action/results" -name "*.sarif" -type f 2>/dev/null || true) |
| 121 | + if [ -n "$SARIF_FILES" ]; then |
| 122 | + FINDINGS_COUNT=$(jq -r '.runs[].results | length' $SARIF_FILES 2>/dev/null | awk '{sum+=$1} END {print sum+0}') |
| 123 | + echo "findings_count=$FINDINGS_COUNT" >> $GITHUB_OUTPUT |
| 124 | + if [ "$FINDINGS_COUNT" -gt 0 ]; then |
| 125 | + echo "security_issues_found=true" >> $GITHUB_OUTPUT |
| 126 | + echo "Found $FINDINGS_COUNT security issues" |
| 127 | + else |
| 128 | + echo "security_issues_found=false" >> $GITHUB_OUTPUT |
| 129 | + echo "No security issues found" |
| 130 | + fi |
| 131 | + else |
| 132 | + echo "security_issues_found=false" >> $GITHUB_OUTPUT |
| 133 | + echo "No SARIF files found" |
| 134 | + fi |
| 135 | + else |
| 136 | + echo "security_issues_found=false" >> $GITHUB_OUTPUT |
| 137 | + echo "No CodeQL results directory found" |
| 138 | + fi |
| 139 | +
|
| 140 | + - name: Create Security Issue on Findings |
| 141 | + if: steps.check-security.outputs.security_issues_found == 'true' || github.event.inputs.test_email == 'true' |
| 142 | + uses: actions/github-script@v7 |
| 143 | + with: |
| 144 | + script: | |
| 145 | + const title = `🚨 Security Issues Detected - ${context.payload.head_commit?.message || 'Latest commit'}`; |
| 146 | + const body = `## Security Alert |
| 147 | + |
| 148 | + CodeQL analysis has detected **${{ steps.check-security.outputs.findings_count }}** security issue(s) in the codebase. |
| 149 | + |
| 150 | + ### Details: |
| 151 | + - **Repository**: ${{ github.repository }} |
| 152 | + - **Branch**: ${{ github.ref_name }} |
| 153 | + - **Commit**: ${{ github.sha }} |
| 154 | + - **Workflow Run**: [${{ github.run_number }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) |
| 155 | + - **Language**: ${{ matrix.language }} |
| 156 | + |
| 157 | + ### Action Required: |
| 158 | + Please review the security findings immediately: |
| 159 | + - [View Security Tab](${{ github.server_url }}/${{ github.repository }}/security/code-scanning) |
| 160 | + - [View Workflow Run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) |
| 161 | + |
| 162 | + ### Assignees: |
| 163 | + @elvin03 please review and address these security issues. |
| 164 | + |
| 165 | + --- |
| 166 | + *This issue was automatically created by the CodeQL security workflow.*`; |
| 167 | + |
| 168 | + await github.rest.issues.create({ |
| 169 | + owner: context.repo.owner, |
| 170 | + repo: context.repo.repo, |
| 171 | + title: title, |
| 172 | + body: body, |
| 173 | + labels: ['security', 'automated', 'high-priority'], |
| 174 | + assignees: ['elvin03'] |
| 175 | + }); |
| 176 | +
|
105 | 177 | - name: Generate Security Report |
106 | 178 | uses: rsdmike/github-security-report-action@v3.0.4 |
107 | 179 | with: |
|
0 commit comments