Skip to content
CodeQL

CodeQL #4

Sign in to view logs

CodeQL

CodeQL #4

Workflow file for this run

.github/workflows/codeql.yml at cc811a9
name: "CodeQL"
#we will launch this actions with a manual trigger, as well when a push is committed or a PR is opened on main branch
on:
workflow_dispatch:
# push:
# branches: ["main"]
# pull_request:
# branches: ["main"]
jobs:
#jobs name and settings
analyze:
name: Analyze
runs-on: ubuntu-latest
timeout-minutes: 360
permissions:
actions: read
contents: read
security-events: write
#setup strategy, with matrix options, we are executing two jobs with different languages
strategy:
fail-fast: false
matrix:
language: ["java-kotlin", "javascript-typescript"]
# CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ]
steps:
# Checkout the repo, this will setup the pipeline with our actual codebase
- name: Checkout repository
uses: actions/checkout@v3
# Setup CodeQL tool, with this setup step, we are specifying the language of the scan, and also some extra arguments in a configuration file
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
config-file: ./.github/codeql/codeql-config.${{ matrix.language }}.yml
languages: ${{ matrix.language }}
# Build the codebase, codeql offer an autobuild steps for most of his supported languages: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
- if: matrix.language != 'java-kotlin'
name: Autobuild
uses: github/codeql-action/autobuild@v2
# In case our java project, we are leveraging some project specific needs
- if: matrix.language == 'java-kotlin'
name: Compile project
run: |
cd vuln_apps/vulnado
./mvnw -B clean package -DskipTests=true
# Perform the actual code analysis, that will automatic upload GitHub security section
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{matrix.language}}"