From de4457eac23d329ac6d1a2e0ae7ba00c7baea493 Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Fri, 24 Jan 2025 13:06:32 -0800 Subject: [PATCH 1/2] Add actions analysis to code scannign Create a new job to run actions since we don't need to matrix the runs across multiple OSes. --- .github/workflows/codeql.yml | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 130ef58839..ad5b502f68 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -70,7 +70,7 @@ jobs: echo "Suggested matrix config for analysis job: $VERSIONS_JSON" echo "versions=${VERSIONS_JSON}" >> $GITHUB_OUTPUT - build: + analyze-javascript: needs: [check-codeql-versions] strategy: fail-fast: false @@ -81,7 +81,7 @@ jobs: permissions: contents: read - security-events: write # needed to upload results + security-events: write steps: - name: Checkout @@ -100,3 +100,27 @@ jobs: uses: ./analyze with: category: "/language:javascript" + + + analyze-actions: + runs-on: ubuntu-latest + + strategy: + fail-fast: false + + permissions: + contents: read + security-events: write + + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Initialize CodeQL + uses: ./init + with: + languages: actions + config-file: ./.github/codeql/codeql-config.yml + - name: Perform CodeQL Analysis + uses: ./analyze + with: + category: "/language:actions" From 50954e7f006013661fd40f27dc2cc84ed9af3134 Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Wed, 29 Jan 2025 12:25:34 -0800 Subject: [PATCH 2/2] Use a separate config file for actions queries --- .github/codeql/codeql-actions-config.yml | 4 ++++ .github/workflows/codeql.yml | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 .github/codeql/codeql-actions-config.yml diff --git a/.github/codeql/codeql-actions-config.yml b/.github/codeql/codeql-actions-config.yml new file mode 100644 index 0000000000..7f3b3f3a84 --- /dev/null +++ b/.github/codeql/codeql-actions-config.yml @@ -0,0 +1,4 @@ +# Configuration for the CodeQL Actions Queries +name: "CodeQL Actions Queries config" +queries: + - uses: security-and-quality diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ad5b502f68..a51a6b870e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -119,7 +119,7 @@ jobs: uses: ./init with: languages: actions - config-file: ./.github/codeql/codeql-config.yml + config-file: ./.github/codeql/codeql-actions-config.yml - name: Perform CodeQL Analysis uses: ./analyze with: