diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..3ac97ba --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,100 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# For more information see: +# https://nasa.github.io/scrub/ +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [main, develop] + pull_request: + # The branches below must be a subset of the branches above + branches: [develop] + schedule: + # default branch on sundays at 5a + - cron: '0 5 * * 0' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: write + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + # CodeQL supports ['cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby'] + # Learn more about CodeQL language support at https://git.io/codeql-language-support + language: ['python'] + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + #config-file: ./.github/workflows/codeql/codeql-config.yml + languages: ${{ matrix.language }} + queries: security-and-quality, security-extended + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + #- run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + + - name: Post-Process Output + run: | + python3 -m pip install nasa-scrub + + results_dir=`realpath ${{ github.workspace }}/../results` + sarif_files=`find $results_dir -name '*.sarif'` + + for sarif_file in $sarif_files + do + output_file="$results_dir/$(basename $sarif_file .sarif).scrub" + + python3 -m scrub.tools.parsers.translate_results $sarif_file $output_file ${{ github.workspace }} scrub + done + + python3 -m scrub.tools.parsers.csv_parser $results_dir + + echo "RESULTS_DIR=$results_dir" >> $GITHUB_ENV + + + - name: Upload CodeQL Artifacts + uses: actions/upload-artifact@v4 + with: + name: codeql-artifacts + path: ${{ env.RESULTS_DIR }} + if-no-files-found: error + overwrite: true + retention-days: 15 diff --git a/.github/workflows/codeql/codeql-config.yml b/.github/workflows/codeql/codeql-config.yml new file mode 100644 index 0000000..17e620e --- /dev/null +++ b/.github/workflows/codeql/codeql-config.yml @@ -0,0 +1,5 @@ +name: "CodeQL config" +queries: + - name: Run custom queries + - uses: security-extended + - uses: security-and-quality