-
Notifications
You must be signed in to change notification settings - Fork 0
131 lines (124 loc) · 4.6 KB
/
codeql-analysis.managed.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# THIS CODE WAS AUTOGENERATED. DO NOT MODIFY THIS FILE DIRECTLY
# THE SOURCE CODE LIVES IN A DIFFERENT REPOSITORY:
# - centralized-templates
# FILE STEWARD: @pleo-io/team-security
name: CodeQL Analysis
on:
push:
branches:
- main
- master
- develop
pull_request:
branches:
- main
- master
- develop
merge_group:
types: [checks_requested]
env:
CONFIG_FILE: ""
RUN_ON_DEFAULT_BRANCH: true
jobs:
preflight:
if: ${{ !contains(github.event.pull_request.title, '(deps)') }}
name: Determine if CodeQL should run
runs-on: ubuntu-latest
outputs:
should_run_analyze: ${{ steps.maybe_skip_analyze.outputs.should_run_analyze }}
steps:
- uses: winterjung/split@a211a1c46e35fcdc4097d59dd6282d4a9859651b # v2
id: split
with:
msg: ${{ github.repository }}
separator: "/"
- id: get_default_branch
name: Determine our default branch
uses: octokit/[email protected]
with:
route: GET /repos/{owner}/{repo}
owner: ${{ github.repository_owner }}
repo: ${{ steps.split.outputs._1 }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- id: set_default_branch
name: Set our default branch
run: echo "DEFAULT_BRANCH=${{ fromJson(steps.get_default_branch.outputs.data).default_branch }}" >> "$GITHUB_ENV"
- id: maybe_skip_analyze
name: Check if analyze should run
shell: bash
run: |
if [[ "${{ env.RUN_ON_DEFAULT_BRANCH }}" == "false" && "${{ github.ref }}" == "refs/heads/${{ env.DEFAULT_BRANCH }}" && "${{ github.event_name }}" == "push" ]]; then
echo "Skipping CodeQL analysis on main branch due to configuration"
echo "should_run_analyze=false" >> "$GITHUB_OUTPUT"
elif [[ "${{ github.event_name }}" == "merge_group" ]]; then
echo "Skipping CodeQL analysis on merge queue due to a GitHub's known issue, see: https://github.com/github/codeql-action/issues/1537"
echo "should_run_analyze=false" >> "$GITHUB_OUTPUT"
else
echo "Running CodeQL analysis"
echo "should_run_analyze=true" >> "$GITHUB_OUTPUT"
fi
wiz-cli-scanning:
if: ${{ (github.ref != 'refs/heads/main' || github.event_name != 'push') && (!contains(github.event.pull_request.title, 'deps')) }}
name: Scan Dependency, Container or IaC with Wiz-CLI
uses: pleo-io/reusable-workflows/.github/workflows/security-analysis-with-wiz.reusable-external.yaml@main
permissions:
security-events: write
actions: read
contents: read
secrets: inherit
with:
# Dependency Scanning
wiz_scan_deps: false
wiz_scan_deps_path: "."
wiz_scan_deps_policy: "Pleo-Default-vulnerabilities-policy"
# Container Scanning
wiz_scan_container: false
wiz_scan_container_policy: "Pleo-Default-container-policy"
wiz_scan_container_dockerfile_path: "."
jdk_version: "17"
node_version: 20
languages:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.languages }}
steps:
- name: Get languages from repo
id: set-matrix
uses: pleo-io/set-codeql-language-matrix@fix_output
with:
access-token: ${{ secrets.GITHUB_TOKEN }}
endpoint: ${{ github.event.repository.languages_url }}
analyze-code:
name: Analyze code with CodeQL
if: ${{ (needs.preflight.outputs.should_run_analyze == 'true') && (!contains(github.event.pull_request.title, 'deps')) && (needs.languages.outputs.matrix != '[]') }}
needs:
- preflight
- languages
runs-on:
group: codeql-runner-group
timeout-minutes: 30
permissions:
actions: read
contents: read
security-events: write
env:
CODEQL_ACTION_EXTRA_OPTIONS: '{"database": {"run-queries": ["--off-heap-ram=3072"]}}'
strategy:
fail-fast: false
matrix:
language: ${{ fromJSON(needs.languages.outputs.matrix) }}
steps:
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
# Set up a JDK environment for building, testing and releasing.
- name: CodeQL Analysis
uses: pleo-io/reusable-actions/codeql@main
with:
language: ${{ matrix.language }}
github_token: ${{ secrets.GH_REGISTRY_GRADLE_TOKEN }}
gradle_read_key: ${{ secrets.GH_REGISTRY_GRADLE_TOKEN }}
job_runr_repo_password: ${{ secrets.JOB_RUNR_REPO_PASSWORD }}
config_file: ${{ env.CONFIG_FILE }}
nodeVersion: 20
jdkVersion: 17