--- # This workflow is centrally managed in https://github.com//.github/ # Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in # the above-mentioned repo. # This workflow will analyze all supported languages in the repository using CodeQL Analysis. name: "CodeQL" permissions: contents: read on: push: branches: - master pull_request: branches: - master schedule: - cron: '00 12 * * 0' # every Sunday at 12:00 UTC concurrency: group: "${{ github.workflow }}-${{ github.ref }}" cancel-in-progress: true jobs: languages: name: Get language matrix outputs: matrix: ${{ steps.lang.outputs.result }} continue: ${{ steps.continue.outputs.result }} runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v4 - name: Get repo languages id: lang uses: actions/github-script@v7 with: script: | // CodeQL supports the following: // ['actions', 'c', 'cpp', 'csharp', 'go', 'java', 'javascript', 'kotlin', 'python', 'ruby', 'swift'] // Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support const supported_languages = [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift', ] const remap_languages = { 'c': 'cpp', 'c++': 'cpp', 'c#': 'csharp', 'kotlin': 'java', 'typescript': 'javascript', } const repo = context.repo const response = await github.rest.repos.listLanguages(repo) let matrix = { "include": [] } // Track languages we've already added to avoid duplicates const addedLanguages = new Set() // Check if workflow files exist to determine if we should add actions language const fs = require('fs'); const hasYmlFiles = fs.existsSync('.github/workflows') && fs.readdirSync('.github/workflows').some(file => file.endsWith('.yml') || file.endsWith('.yaml')); // Add actions language if workflow files exist if (hasYmlFiles) { console.log('Found GitHub Actions workflow files. Adding actions to the matrix.'); matrix['include'].push({ "category": "/language:actions", "language": "actions", "name": "actions", "os": "ubuntu-latest", "build-mode": "none", }); } for (let [key, value] of Object.entries(response.data)) { // remap language if (remap_languages[key.toLowerCase()]) { console.log(`Remapping language: ${key} to ${remap_languages[key.toLowerCase()]}`) key = remap_languages[key.toLowerCase()] } const normalizedKey = key.toLowerCase() if (supported_languages.includes(normalizedKey) && !addedLanguages.has(normalizedKey)) { // Mark this language as added addedLanguages.add(normalizedKey) console.log(`Found supported language: ${normalizedKey}`) let osList = ['ubuntu-latest']; if (normalizedKey === 'swift') { osList = ['macos-latest']; } for (let os of osList) { // set name for matrix let name = osList.length === 1 ? normalizedKey : `${normalizedKey}, ${os}` // set category for matrix let category = `/language:${normalizedKey}` let build_mode = 'none'; // Set build mode based on language switch (normalizedKey) { case 'csharp': build_mode = 'autobuild' break case 'go': build_mode = 'autobuild' break case 'java': build_mode = 'autobuild' break default: build_mode = 'none' } // add to matrix matrix['include'].push({ "category": category, "language": normalizedKey, "name": name, "os": os, "build-mode": build_mode, }) } } } // print languages console.log(`matrix: ${JSON.stringify(matrix)}`) return matrix - name: Continue id: continue uses: actions/github-script@v7 with: script: | // if matrix['include'] is an empty list return false, otherwise true const matrix = ${{ steps.lang.outputs.result }} // this is already json encoded if (matrix['include'].length == 0) { return false } else { return true } analyze: name: Analyze (${{ matrix.name }}) if: needs.languages.outputs.continue == 'true' env: GITHUB_CODEQL_BUILD: true needs: languages permissions: actions: read contents: read security-events: write runs-on: ${{ matrix.os || 'ubuntu-latest' }} strategy: fail-fast: false matrix: ${{ fromJson(needs.languages.outputs.matrix) }} timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 60 }} steps: - name: Checkout repository uses: actions/checkout@v4 with: submodules: recursive # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. # yamllint disable-line rule:line-length # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality config: | paths-ignore: - build - node_modules - third-party build-mode: ${{ matrix.build-mode || 'none' }} # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). - name: Autobuild if: matrix.build-mode == 'autobuild' uses: github/codeql-action/autobuild@v3 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: category: "${{ matrix.category }}" output: sarif-results upload: failure-only - name: filter-sarif uses: advanced-security/filter-sarif@v1 with: input: sarif-results/${{ matrix.language }}.sarif output: sarif-results/${{ matrix.language }}.sarif patterns: | -build/** -node_modules/** -third\-party/** - name: Upload SARIF uses: github/codeql-action/upload-sarif@v3 with: category: "${{ matrix.category }}" sarif_file: sarif-results/${{ matrix.language }}.sarif - name: Upload loc as a Build Artifact uses: actions/upload-artifact@v4 with: name: sarif-results-${{ matrix.language }}-${{ runner.os }} path: sarif-results if-no-files-found: error retention-days: 1