--- # This action is centrally managed in https://github.com//.github/ # Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in # the above-mentioned repo. # This workflow will analyze all supported languages in the repository using CodeQL Analysis. name: "CodeQL" on: push: branches: ["master"] pull_request: branches: ["master"] schedule: - cron: '00 12 * * 0' # every Sunday at 12:00 UTC concurrency: group: "${{ github.workflow }}-${{ github.ref }}" cancel-in-progress: true jobs: languages: name: Get language matrix runs-on: ubuntu-latest outputs: matrix: ${{ steps.lang.outputs.result }} continue: ${{ steps.continue.outputs.result }} steps: - name: Get repo languages uses: actions/github-script@v7 id: lang with: script: | // CodeQL supports ['cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift'] // Use only 'java' to analyze code written in Java, Kotlin or both // Use only 'javascript' to analyze code written in JavaScript, TypeScript or both // Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support const supported_languages = ['cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift'] const remap_languages = { 'c++': 'cpp', 'c#': 'csharp', 'kotlin': 'java', 'typescript': 'javascript', } const repo = context.repo const response = await github.rest.repos.listLanguages(repo) let matrix = { "include": [] } for (let [key, value] of Object.entries(response.data)) { // remap language if (remap_languages[key.toLowerCase()]) { console.log(`Remapping language: ${key} to ${remap_languages[key.toLowerCase()]}`) key = remap_languages[key.toLowerCase()] } if (supported_languages.includes(key.toLowerCase())) { console.log(`Found supported language: ${key}`) let osList = ['ubuntu-latest']; if (key.toLowerCase() === 'swift') { osList = ['macos-latest']; } else if (key.toLowerCase() === 'cpp') { // TODO: update macos to latest after the below issue is resolved // https://github.com/github/codeql-action/issues/2266 osList = ['macos-13', 'ubuntu-latest', 'windows-latest']; } for (let os of osList) { // set name for matrix if (osList.length == 1) { name = key.toLowerCase() } else { name = `${key.toLowerCase()}, ${os}` } // add to matrix matrix['include'].push({"language": key.toLowerCase(), "os": os, "name": name}) } } } // print languages console.log(`matrix: ${JSON.stringify(matrix)}`) return matrix - name: Continue uses: actions/github-script@v7 id: continue with: script: | // if matrix['include'] is an empty list return false, otherwise true const matrix = ${{ steps.lang.outputs.result }} // this is already json encoded if (matrix['include'].length == 0) { return false } else { return true } analyze: name: Analyze (${{ matrix.name }}) if: ${{ needs.languages.outputs.continue == 'true' }} defaults: run: shell: ${{ matrix.os == 'windows-latest' && 'msys2 {0}' || 'bash' }} env: GITHUB_CODEQL_BUILD: true needs: [languages] runs-on: ${{ matrix.os || 'ubuntu-latest' }} timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} permissions: actions: read contents: read security-events: write strategy: fail-fast: false matrix: ${{ fromJson(needs.languages.outputs.matrix) }} steps: - name: Maximize build space if: >- runner.os == 'Linux' && matrix.language == 'cpp' uses: easimon/maximize-build-space@v10 with: root-reserve-mb: 30720 remove-dotnet: ${{ (matrix.language == 'csharp' && 'false') || 'true' }} remove-android: 'true' remove-haskell: 'true' remove-codeql: 'false' remove-docker-images: 'true' - name: Checkout repository uses: actions/checkout@v4 with: submodules: recursive - name: Setup msys2 if: >- runner.os == 'Windows' && matrix.language == 'cpp' uses: msys2/setup-msys2@v2 with: msystem: ucrt64 update: true # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. # yamllint disable-line rule:line-length # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality config: | paths-ignore: - build - node_modules - third-party # Pre autobuild # create a file named .codeql-prebuild-${{ matrix.language }}.sh in the root of your repository # create a file named .codeql-build-${{ matrix.language }}.sh in the root of your repository - name: Prebuild id: prebuild run: | # check if prebuild script exists filename=".codeql-prebuild-${{ matrix.language }}-${{ runner.os }}.sh" if [ -f "./${filename}" ]; then echo "Running prebuild script: ${filename}" ./${filename} fi # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). - name: Autobuild if: steps.prebuild.outputs.skip_autobuild != 'true' uses: github/codeql-action/autobuild@v3 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: category: "/language:${{matrix.language}}" output: sarif-results upload: failure-only - name: filter-sarif uses: advanced-security/filter-sarif@v1 with: input: sarif-results/${{ matrix.language }}.sarif output: sarif-results/${{ matrix.language }}.sarif patterns: | -build/** -node_modules/** -third\-party/** - name: Upload SARIF uses: github/codeql-action/upload-sarif@v3 with: sarif_file: sarif-results/${{ matrix.language }}.sarif - name: Upload loc as a Build Artifact uses: actions/upload-artifact@v4 with: name: sarif-results-${{ matrix.language }}-${{ runner.os }} path: sarif-results retention-days: 1