--- # This workflow is centrally managed in https://github.com//.github/ # Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in # the above-mentioned repo. # This workflow will analyze all supported languages in the repository using CodeQL Analysis. name: "CodeQL" permissions: contents: read on: push: branches: - master pull_request: branches: - master schedule: - cron: '00 12 * * 0' # every Sunday at 12:00 UTC concurrency: group: "${{ github.workflow }}-${{ github.ref }}" cancel-in-progress: true jobs: languages: name: Get language matrix outputs: matrix: ${{ steps.lang.outputs.result }} continue: ${{ steps.continue.outputs.result }} runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v4 - name: Get repo languages id: lang uses: actions/github-script@v7 with: script: | // CodeQL supports ['cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift'] // Use only 'java' to analyze code written in Java, Kotlin or both // Use only 'javascript' to analyze code written in JavaScript, TypeScript or both // Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support const supported_languages = ['cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift'] const remap_languages = { 'c++': 'cpp', 'c#': 'csharp', 'kotlin': 'java', 'typescript': 'javascript', } const repo = context.repo const response = await github.rest.repos.listLanguages(repo) let matrix = { "include": [] } // Track languages we've already added to avoid duplicates const addedLanguages = new Set() // Check if workflow files exist to determine if we should add actions language const fs = require('fs'); const hasYmlFiles = fs.existsSync('.github/workflows') && fs.readdirSync('.github/workflows').some(file => file.endsWith('.yml') || file.endsWith('.yaml')); // Add actions language if workflow files exist if (hasYmlFiles) { console.log('Found GitHub Actions workflow files. Adding actions to the matrix.'); matrix['include'].push({ "category": "/language:actions", "language": "actions", "name": "actions", "os": "ubuntu-latest" }); } for (let [key, value] of Object.entries(response.data)) { // remap language if (remap_languages[key.toLowerCase()]) { console.log(`Remapping language: ${key} to ${remap_languages[key.toLowerCase()]}`) key = remap_languages[key.toLowerCase()] } const normalizedKey = key.toLowerCase() if (supported_languages.includes(normalizedKey) && !addedLanguages.has(normalizedKey)) { // Mark this language as added addedLanguages.add(normalizedKey) console.log(`Found supported language: ${normalizedKey}`) let osList = ['ubuntu-latest']; if (normalizedKey === 'swift') { osList = ['macos-latest']; } else if (normalizedKey === 'cpp') { osList = ['macos-latest', 'ubuntu-latest', 'windows-latest']; } for (let os of osList) { // set name for matrix let name = osList.length === 1 ? normalizedKey : `${normalizedKey}, ${os}` // set category for matrix let category = `/language:${normalizedKey}` if (normalizedKey === 'cpp') { category = `/language:cpp-${os.split('-')[0]}` } // add to matrix matrix['include'].push({ "category": category, "language": normalizedKey, "name": name, "os": os }) } } } // print languages console.log(`matrix: ${JSON.stringify(matrix)}`) return matrix - name: Continue id: continue uses: actions/github-script@v7 with: script: | // if matrix['include'] is an empty list return false, otherwise true const matrix = ${{ steps.lang.outputs.result }} // this is already json encoded if (matrix['include'].length == 0) { return false } else { return true } analyze: name: Analyze (${{ matrix.name }}) if: needs.languages.outputs.continue == 'true' defaults: run: shell: ${{ matrix.os == 'windows-latest' && 'msys2 {0}' || 'bash' }} env: GITHUB_CODEQL_BUILD: true needs: languages permissions: actions: read contents: read security-events: write runs-on: ${{ matrix.os || 'ubuntu-latest' }} strategy: fail-fast: false matrix: ${{ fromJson(needs.languages.outputs.matrix) }} timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} steps: - name: Maximize build space if: >- runner.os == 'Linux' && matrix.language == 'cpp' uses: easimon/maximize-build-space@v10 with: root-reserve-mb: 30720 remove-dotnet: ${{ (matrix.language == 'csharp' && 'false') || 'true' }} remove-android: 'true' remove-haskell: 'true' remove-codeql: 'false' remove-docker-images: 'true' - name: Checkout repository uses: actions/checkout@v4 with: submodules: recursive - name: Setup msys2 if: >- runner.os == 'Windows' && matrix.language == 'cpp' uses: msys2/setup-msys2@v2 with: msystem: ucrt64 update: true # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. # yamllint disable-line rule:line-length # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality config: | paths-ignore: - build - node_modules - third-party # Pre autobuild # create a file named .codeql-prebuild-${{ matrix.language }}-${{ runner.os }}.sh in the root of your repository - name: Prebuild id: prebuild run: | # check if prebuild script exists filename=".codeql-prebuild-${{ matrix.language }}-${{ runner.os }}.sh" if [ -f "./${filename}" ]; then echo "Running prebuild script: ${filename}" ./${filename} fi # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). - name: Autobuild if: steps.prebuild.outputs.skip_autobuild != 'true' uses: github/codeql-action/autobuild@v3 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: category: "${{ matrix.category }}" output: sarif-results upload: failure-only - name: filter-sarif uses: advanced-security/filter-sarif@v1 with: input: sarif-results/${{ matrix.language }}.sarif output: sarif-results/${{ matrix.language }}.sarif patterns: | -build/** -node_modules/** -third\-party/** - name: Upload SARIF uses: github/codeql-action/upload-sarif@v3 with: category: "${{ matrix.category }}" sarif_file: sarif-results/${{ matrix.language }}.sarif - name: Upload loc as a Build Artifact uses: actions/upload-artifact@v4 with: name: sarif-results-${{ matrix.language }}-${{ runner.os }} path: sarif-results if-no-files-found: error retention-days: 1