-
Notifications
You must be signed in to change notification settings - Fork 3
98 lines (85 loc) · 3.29 KB
/
codeql-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
name: "CodeQL"
run-name: "CodeQL scan on ${{ github.head_ref || github.ref_name }}"
# For CodeQL scan, below are the optimal ways to do it
# 1. Perform scan on weekly basis for master/main branch. Preferably on Monday
# 2. Perform scan on each PR to master/main branch.
# 3. If necessary, we can do scan for each push event in master/main branch.
on:
pull_request:
# Only runs if PR on master or main branch
branches:
- "master"
- "main"
# Runs on every Monday 8am MYT (12am UTC)
schedule:
- cron: '00 00 * * 1'
# Enabling manual trigger
workflow_dispatch:
jobs:
codeql-analyze:
name: Analyze
runs-on: 'ubuntu-latest'
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: ['javascript']
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
# Use only 'java' to analyze code written in Java, Kotlin or both
# Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Get current date only
if: ${{ github.event_name != 'pull_request' }}
id: set-date
run: |
echo "date=$(date +'%Y-%m-%d')" >> "$GITHUB_ENV"
- name: Get current time and date
if: ${{ github.event_name != 'pull_request' }}
id: set-time-and-date
run: |
echo "date_time=$(date +'%Y-%m-%dT%H:%M')" >> "$GITHUB_ENV"
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
config: |
paths:
- src
- tools
paths-ignore:
- '**/*.test.js'
query-filters:
- exclude:
problem.severity:
- note
- low
- warning
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality # We can enable this once we are ready
# Perform CodeQL scan
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "${{ matrix.language }}/branch:${{ github.head_ref || github.ref_name }}"
- name: Generate Code Security Report
if: ${{ github.event_name != 'pull_request' }}
uses: kfit-dev/github-security-report-action@main
with:
token: ${{ secrets.TOKEN_GITHUB_ACTIONS }}
template: report
- name: Upload Code Security Report to Google Drive
if: ${{ github.event_name != 'pull_request' }}
uses: kfit-dev/google-drive-upload-action@main
with:
target: report.pdf
credentials: ${{ secrets.GOOGLE_DRIVE_CREDS }}
parent_folder_id: 1RAcNjaHnxZrkMMlEMnZtaR5GTcQGNElr
name: ${{ github.repository }}-${{ matrix.language }}-${{ env.date_time }}.pdf
child_folder: ${{ env.date }}