-
Notifications
You must be signed in to change notification settings - Fork 0
52 lines (48 loc) · 1.81 KB
/
codeql-monorepo-full.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# This workflow scans all sub projects of a monorepo.
#
# It uses Actions from `advanced-security/monorepo-code-scanning-action`
#
# The specific language and paths covered by each project are passed to the CodeQL analysis, along with a custom analysis workflow if one is provided.
#
# For TypeScript/JavaScript, Python, and Ruby, and when using 'build-mode: none' for Java and C#, you can let the CodeQL Action handle the "build" step,
# and only target the project that is being changed by the PR.
#
# For Kotlin, Swift and C/C++, or when not using 'build-mode: none' for Java and C#, you will need to manually build the project,
# in a way that you can define in the optional custom analysis workflow.
#
# If you want to specifiy custom queries, you can do so in the custom analysis workflow.
#
# You can find an example of what that looks like in this repository at .github/workflows/custom-codeql-analysis.yml
name: "CodeQL monorepo - scheduled"
on:
workflow_dispatch:
schedule:
# every day at midnight, please edit as appropriate
- cron: "0 0 * * *"
jobs:
whole-repo:
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
projects: ${{ steps.whole-repo.outputs.projects }}
steps:
- name: Scan whole repo, split up by project
id: whole-repo
uses: advanced-security/monorepo-code-scanning-action/whole-repo@main
with:
projects-json: monorepo-projects.json
queries: security-extended
scan:
runs-on: ubuntu-latest
permissions:
contents: read
actions: read
security-events: write
needs: whole-repo
strategy:
matrix:
project: ${{ fromJson(needs.whole-repo.outputs.projects).projects }}
steps:
- name: Analyze code
uses: advanced-security/monorepo-code-scanning-action/scan@main