diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 7267068..6ab9879 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -23,6 +23,10 @@ jobs: analyze: name: Analyze runs-on: [ macos-latest ] + permissions: + actions: read + contents: read + security-events: write strategy: fail-fast: false @@ -31,41 +35,21 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 + with: + submodules: recursive + # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} + queries: security-and-quality + debug: true - - name: Autobuild - run: swift build + - name: Build + run: | + xcodebuild -scheme CheckoutCardManagement -destination "platform=iOS Simulator,name=iPhone 14 Pro,OS=latest" - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - with: - upload: false # disable the upload here - we will upload in a different action - output: sarif-results - - - name: filter-sarif - uses: advanced-security/filter-sarif@v1 - with: - # filter out all test files unless they contain a sql-injection vulnerability - patterns: | - -**/*test*.js - +**/*test*.js:js/sql-injection - input: sarif-results/${{ matrix.language }}.sarif - output: sarif-results/${{ matrix.language }}.sarif - - - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: sarif-results/${{ matrix.language }}.sarif - - # optional: for debugging the uploaded sarif - - name: Upload loc as a Build Artifact - uses: actions/upload-artifact@v3 - with: - name: sarif-results - path: sarif-results - retention-days: 1 + uses: github/codeql-action/analyze@v3