From 6f43bf8bc7d4faf2194b473761dd971eb1e8bccc Mon Sep 17 00:00:00 2001 From: Sherry Li Date: Sat, 15 Jan 2022 15:23:15 -0500 Subject: [PATCH 1/3] Add CodeQL GitHub Actions workflow --- .github/workflows/code-analysis.yml | 41 +++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 .github/workflows/code-analysis.yml diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml new file mode 100644 index 0000000..5d6dca5 --- /dev/null +++ b/.github/workflows/code-analysis.yml @@ -0,0 +1,41 @@ +name: "Code Analysis" + +on: + push: + branches: + - main + pull_request: + branches: + - main + schedule: + # Scheduled workflows run on the latest commit on the default or base branch. + # The shortest interval you can run scheduled workflows is once every 15 minutes. + # ┌───────────── minute (0 - 59) + # │ ┌───────────── hour (0 - 23) + # │ │ ┌───────────── day of the month (1 - 31) + # │ │ │ ┌───────────── month (1 - 12 or JAN-DEC) + # │ │ │ │ ┌───────────── day of the week (0 - 6 or SUN-SAT) + # │ │ │ │ │ + # │ │ │ │ │ + # │ │ │ │ │ + # * * * * * + - cron: '0 0 * * 0' + +jobs: + codeql-scan: + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + # CodeQL supports the following languages: go, javascript, csharp, python, cpp, java. + # Select javascript for typescript + with: + languages: javascript, python + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 From f6fde45e3515849f66fb19771ba85c2f5a53b560 Mon Sep 17 00:00:00 2001 From: Sherry Li Date: Sat, 15 Jan 2022 16:09:36 -0500 Subject: [PATCH 2/3] Ignore third-party files in code analysis --- .github/workflows/code-analysis.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml index 5d6dca5..ad582eb 100644 --- a/.github/workflows/code-analysis.yml +++ b/.github/workflows/code-analysis.yml @@ -4,9 +4,15 @@ on: push: branches: - main + paths-ignore: + # Ignore files from third-party packages, e.g. Swagger + - 'backend/python/app/static' pull_request: branches: - main + paths-ignore: + - 'backend/python/app/static' + schedule: # Scheduled workflows run on the latest commit on the default or base branch. # The shortest interval you can run scheduled workflows is once every 15 minutes. From e82d5b293e7d748d580a2efd791e3abf2f76b7a3 Mon Sep 17 00:00:00 2001 From: Sherry Li Date: Sat, 15 Jan 2022 16:30:41 -0500 Subject: [PATCH 3/3] Add custom CodeQL config file --- .github/configs/codeql-config.yml | 5 +++++ .github/workflows/code-analysis.yml | 7 +------ 2 files changed, 6 insertions(+), 6 deletions(-) create mode 100644 .github/configs/codeql-config.yml diff --git a/.github/configs/codeql-config.yml b/.github/configs/codeql-config.yml new file mode 100644 index 0000000..fd75cce --- /dev/null +++ b/.github/configs/codeql-config.yml @@ -0,0 +1,5 @@ +name: "CodeQL config" + +paths-ignore: + # Ignore files from third-party packages, e.g. Swagger + - backend/python/app/static diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml index ad582eb..dc9cfa4 100644 --- a/.github/workflows/code-analysis.yml +++ b/.github/workflows/code-analysis.yml @@ -4,15 +4,9 @@ on: push: branches: - main - paths-ignore: - # Ignore files from third-party packages, e.g. Swagger - - 'backend/python/app/static' pull_request: branches: - main - paths-ignore: - - 'backend/python/app/static' - schedule: # Scheduled workflows run on the latest commit on the default or base branch. # The shortest interval you can run scheduled workflows is once every 15 minutes. @@ -42,6 +36,7 @@ jobs: # Select javascript for typescript with: languages: javascript, python + config-file: ./.github/configs/codeql-config.yml - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v1