-
Notifications
You must be signed in to change notification settings - Fork 0
141 lines (124 loc) · 4.06 KB
/
Copy pathcodeql-analysis.yml
File metadata and controls
141 lines (124 loc) · 4.06 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
name: "CodeQL"
on:
push:
branches: [ master, dev ]
pull_request:
branches: [ master ]
schedule:
- cron: '30 5 * * 1' # Weekly on Monday at 5:30 AM UTC
workflow_dispatch: # Allow manual runs
inputs:
branch:
description: 'Branch to scan'
required: false
default: 'master'
type: choice
options:
- master
- dev
# IMPORTANT: Never set cancel-in-progress to true for security scans!
# CodeQL analysis must complete to ensure:
# - All security vulnerabilities are detected
# - Complete code coverage for security issues
# - Consistent security reporting
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false
env:
DOTNET_VERSION: '10.0.x'
DOTNET_NOLOGO: true
DOTNET_CLI_TELEMETRY_OPTOUT: true
jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'csharp', 'javascript' ]
include:
- language: 'csharp'
build-mode: 'manual'
- language: 'javascript'
build-mode: 'none'
steps:
- name: Validate branch input
if: github.event_name == 'workflow_dispatch' && github.event.inputs.branch
run: |
ALLOWED_BRANCHES="master dev"
REQUESTED_BRANCH="${{ github.event.inputs.branch }}"
if [[ ! " $ALLOWED_BRANCHES " =~ " $REQUESTED_BRANCH " ]]; then
echo "❌ Error: Branch '$REQUESTED_BRANCH' is not allowed for CodeQL scanning."
echo "Allowed branches: $ALLOWED_BRANCHES"
exit 1
fi
echo "✅ Branch '$REQUESTED_BRANCH' is valid for scanning"
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.branch || '' }}
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: security-and-quality
# Force use of latest CodeQL CLI bundle for .NET 9 compatibility
tools: latest
config: |
query-filters:
- exclude:
id: js/unused-local-variable
- exclude:
id: cs/static-field-written-by-instance
# Exclude common C# precision warnings that are usually intentional
- exclude:
id: cs/loss-of-precision
tags: test
# Exclude test-specific collection warnings
- exclude:
id: cs/unused-collection
tags: test
# C# specific build steps
- name: Set up .NET
if: matrix.language == 'csharp'
uses: actions/setup-dotnet@v4
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
- name: Cache NuGet packages
if: matrix.language == 'csharp'
uses: actions/cache@v4
with:
path: ~/.nuget/packages
key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj', '**/Directory.Build.props') }}
restore-keys: |
${{ runner.os }}-nuget-
- name: Restore dependencies
if: matrix.language == 'csharp'
run: dotnet restore
- name: Build
if: matrix.language == 'csharp'
run: |
# Clean build to ensure CodeQL tracks all files
dotnet clean --configuration Release
dotnet build --no-restore --configuration Release
# JavaScript specific setup (if needed)
- name: Setup Node.js
if: matrix.language == 'javascript'
uses: actions/setup-node@v4
with:
node-version: '22'
cache: 'npm'
cache-dependency-path: |
SDKs/Node/package-lock.json
SDKs/Node/Admin/package-lock.json
SDKs/Node/Core/package-lock.json
SDKs/Node/Common/package-lock.json
WebAdmin/package-lock.json
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ matrix.language }}"