-
Notifications
You must be signed in to change notification settings - Fork 0
98 lines (86 loc) · 2.82 KB
/
Copy pathcodeql.yml
File metadata and controls
98 lines (86 loc) · 2.82 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
name: CodeQL Security Scan
on:
push:
branches: [main, dev]
pull_request:
branches: [main, dev]
schedule:
# Weekly on Mondays 06:00 UTC
- cron: '0 6 * * 1'
workflow_dispatch:
permissions:
contents: read
security-events: write
actions: read
jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ubuntu-latest
timeout-minutes: 30
strategy:
fail-fast: false
matrix:
language: [python, javascript-typescript, go, csharp]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Python
if: matrix.language == 'python'
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Set up .NET
if: matrix.language == 'csharp'
uses: actions/setup-dotnet@v4
with:
dotnet-version: '8.0.x'
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: security-extended
build-mode: ${{ (matrix.language == 'csharp' && 'manual') || (matrix.language == 'go' && 'autobuild') || 'none' }}
- name: Build .NET projects (csharp)
if: matrix.language == 'csharp'
run: |
dotnet build connectors/worker/dotnet/OmniVec.Worker.csproj -c Release
dotnet build connectors/ingestion/dotnet/OmniVec.ChangeFeed.csproj -c Release
- name: Autobuild
if: matrix.language != 'csharp'
uses: github/codeql-action/autobuild@v3
# Run analysis but don't auto-upload — we post-process first to honor
# inline `# lgtm[rule-id]` suppressions (CodeQL CLI doesn't natively).
- name: Perform CodeQL Analysis
id: analyze
uses: github/codeql-action/analyze@v3
with:
category: /language:${{ matrix.language }}
output: codeql-results
upload: never
- name: Apply lgtm[] inline suppressions
run: |
set -eu
shopt -s nullglob
mkdir -p codeql-results-filtered
for sarif in codeql-results/*.sarif; do
base=$(basename "$sarif")
python scripts/security/filter_sarif.py \
"$sarif" \
"codeql-results-filtered/$base" \
"$GITHUB_WORKSPACE"
done
- name: Upload filtered SARIF to code-scanning
continue-on-error: true
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: codeql-results-filtered
category: /language:${{ matrix.language }}
- name: Upload SARIF artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: codeql-${{ matrix.language }}-sarif
path: |
codeql-results
codeql-results-filtered
retention-days: 14