django-admin-react/.github/workflows/codeql.yml at a14bd5e52f08728541ba922e4d43a3d0f4b9f097 · MartinCastroAlvarez/django-admin-react · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# CodeQL static analysis.
#
# This is the ONE CI workflow the package ships (SECURITY.md §8 keeps
# the lint/test pipeline local-only for v0.x; CodeQL is the documented
# exception — issue #144, post-public-flip hardening). It runs GitHub's
# semantic code analysis over the Python package and the TypeScript
# frontend, surfacing findings in the repository's Security tab where
# external reporters and maintainers both look. Free for public repos.
#
# It complements, not replaces, the local gates: `bandit` / `ruff -S`
# (Python) and `eslint` (frontend) still run via `scripts/lint.sh`;
# CodeQL adds dataflow-based detection (injection, path traversal,
# unsafe deserialization) those rule-based linters can miss.
name: CodeQL

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    # Weekly re-scan so a newly-published CodeQL query catches an issue
    # in code that hasn't changed since the last push.
    - cron: "27 4 * * 1"

# Least-privilege: the analysis only needs to read the code and write
# security events. No write access to contents, packages, or anything
# that could mutate the repo.
permissions:
  contents: read
  security-events: write

jobs:
  analyze:
    name: Analyze (${{ matrix.language }})
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        # `python` covers django_admin_react/; `javascript-typescript`
        # covers frontend/. Both are first-party code we ship or build.
        language: [python, javascript-typescript]
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Initialize CodeQL
        uses: github/codeql-action/init@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3
        with:
          language: ${{ matrix.language }}
          # `security-and-quality` is the broadest first-party query
          # suite — security findings plus maintainability/correctness.
          queries: security-and-quality

      - name: Autobuild
        uses: github/codeql-action/autobuild@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3
        with:
          category: "/language:${{ matrix.language }}"