-
Notifications
You must be signed in to change notification settings - Fork 1
128 lines (112 loc) · 3.77 KB
/
codeql.yml
File metadata and controls
128 lines (112 loc) · 3.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
name: "CodeQL Advanced"
on:
push:
branches: [ "master" ]
pull_request:
branches: [ "master" ]
schedule:
- cron: '41 23 * * 6'
env:
SOLUTION_NAME: SimpleAntiCheat.sln
ChocolateyUseWindowsCompression: 'true'
jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ${{ (matrix.language == 'c-cpp' && 'windows-latest') || ((matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest') }}
timeout-minutes: 60
permissions:
security-events: write
packages: read
actions: read
contents: read
strategy:
fail-fast: false
matrix:
include:
- language: actions
build-mode: none
- language: c-cpp
build-mode: manual
config: Release
platform: x64
steps:
- name: Detect if Dependabot
if: matrix.language == 'c-cpp'
id: is_dependabot
shell: pwsh
run: echo "is_dependabot=${{ github.actor == 'dependabot[bot]' }}" >> $env:GITHUB_OUTPUT
- name: Checkout repository
uses: actions/checkout@v6
with:
token: ${{ (matrix.language == 'c-cpp' && steps.is_dependabot.outputs.is_dependabot == 'true') && secrets.GH_DEPENDABOT_PAT || secrets.GH_PAT || github.token }}
submodules: ${{ matrix.language == 'c-cpp' && 'recursive' || false }}
- name: Cache NuGet packages
if: matrix.language == 'c-cpp'
uses: actions/cache@v5
with:
path: ./packages
key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.config') }}
restore-keys: ${{ runner.os }}-nuget-
- name: Setup Developer Command Prompt
if: matrix.language == 'c-cpp'
uses: ilammy/msvc-dev-cmd@v1
with:
arch: ${{ matrix.platform }}
- name: Obtain WDK from Nuget
if: matrix.language == 'c-cpp'
run: |
echo "Restoring NuGet packages..."
nuget restore ${{ env.SOLUTION_NAME }} -PackagesDirectory ".\packages"
if ($LASTEXITCODE -ne 0) {
Write-Error "NuGet restore failed"
exit 1
}
- name: Initialize CodeQL (C/C++)
if: matrix.language == 'c-cpp'
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
packs: microsoft/windows-drivers@1.1.0
queries: security-extended,security-and-quality
- name: Initialize CodeQL (Actions)
if: matrix.language == 'actions'
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
queries: security-extended,security-and-quality
- name: Build driver for CodeQL analysis
if: matrix.language == 'c-cpp'
run: |
echo "Building solution: ${{ env.SOLUTION_NAME }}"
msbuild ${{ env.SOLUTION_NAME }} /p:Configuration=${{ matrix.config }} /p:Platform=${{ matrix.platform }} /m /verbosity:minimal
if ($LASTEXITCODE -ne 0) {
Write-Error "Build failed"
exit 1
}
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: "/language:${{ matrix.language }}"
output: 'sarif-results'
upload: 'never'
- name: Filter-sarif
if: matrix.language == 'c-cpp'
uses: advanced-security/filter-sarif@v1
with:
patterns: |
-packages/**
-systeminformer/**
input: sarif-results/cpp.sarif
output: sarif-results/cpp.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: sarif-results
- name: Upload loc as a Build Artifact
uses: actions/upload-artifact@v7
with:
name: sarif-results-${{ matrix.language }}
path: sarif-results
retention-days: 1