diff --git a/.github/codeql.yaml b/.github/codeql.yaml new file mode 100644 index 0000000..71c4bdf --- /dev/null +++ b/.github/codeql.yaml @@ -0,0 +1,6 @@ +paths-ignore: + - build/** + +query-filters: + - exclude: + id: go/path-injection diff --git a/.github/workflows/scan-codeql.yml b/.github/workflows/scan-codeql.yml new file mode 100644 index 0000000..6a86e3a --- /dev/null +++ b/.github/workflows/scan-codeql.yml @@ -0,0 +1,63 @@ +name: Analyze CodeQL + +permissions: + contents: read + +on: + push: + branches: ["main"] + pull_request: + paths-ignore: + - "**.md" + - "**.jpg" + - "**.png" + - "**.gif" + - "**.svg" + - "adr/**" + - "docs/**" + - "CODEOWNERS" + schedule: + - cron: "32 2 * * 5" + +jobs: + validate: + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["go", "javascript"] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + + - name: Setup Go + uses: defenseunicorns/zarf/.github/actions/golang@main + + - name: Setup NodeJS + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 + with: + node-version: 18 + cache: "npm" + cache-dependency-path: "package-lock.json" + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@04daf014b50eaf774287bf3f0f1869d4b4c4b913 # v2.21.7 + env: + CODEQL_EXTRACTOR_GO_BUILD_TRACING: on + with: + languages: ${{ matrix.language }} + config-file: ./.github/codeql.yaml + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@04daf014b50eaf774287bf3f0f1869d4b4c4b913 # v2.21.7 + with: + category: "/language:${{matrix.language}}"