Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add actions analysis to code scanning #2725

Merged
merged 2 commits into from
Jan 29, 2025
Merged

Add actions analysis to code scanning #2725

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
de4457e
Add actions analysis to code scannign
aeisenberg Jan 24, 2025
50954e7
Use a separate config file for actions queries
aeisenberg Jan 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 26 additions & 2 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ jobs:
echo "Suggested matrix config for analysis job: $VERSIONS_JSON"
echo "versions=${VERSIONS_JSON}" >> $GITHUB_OUTPUT

build:
analyze-javascript:
needs: [check-codeql-versions]
strategy:
fail-fast: false
Expand All @@ -81,7 +81,7 @@ jobs:

permissions:
contents: read
security-events: write # needed to upload results
security-events: write

steps:
- name: Checkout
Expand All @@ -100,3 +100,27 @@ jobs:
uses: ./analyze
with:
category: "/language:javascript"


analyze-actions:
runs-on: ubuntu-latest
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we also want this job to depend on check-codeql-versions? I guess it's not necessary, as long as one of them depends on it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking that we don't need it.

This workflow is matrixed on multiple versions of CodeQL mainly as an integration test. Since we're using the different versions for analyzing JavaScript, I was thinking that we don't need to do the same for actios. Though, if you can think of a reason, we can change this.


strategy:
fail-fast: false

permissions:
contents: read
security-events: write

steps:
- name: Checkout
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: ./init
with:
languages: actions
config-file: ./.github/codeql/codeql-config.yml
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using the config file means that we're adding a couple directories to the list of ignored paths. The current behavior of the extractor is that if any of the path include/exclude properties are set, we use only those include/exclude settings, and ignore the default Actions path settings. Is that what we want here? (Or, from another angle, is that the right behavior of the Actions extractor?)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. In this case, we don't want to use the custom paths-ignore and just rely on the default. I can't think of a reason why a user would want the non-default version. I'll create a separate actions config and use that one instead.

- name: Perform CodeQL Analysis
uses: ./analyze
with:
category: "/language:actions"
Loading