Skip to content

Add CodeQL analysis workflow configuration#3

Merged
moop-moop merged 12 commits into
mainfrom
feature/code-scanning
Sep 26, 2025
Merged

Add CodeQL analysis workflow configuration#3
moop-moop merged 12 commits into
mainfrom
feature/code-scanning

Conversation

@moop-moop

@moop-moop moop-moop commented Sep 26, 2025

Copy link
Copy Markdown
Member

This pull request restructures and enhances the project's code security and code quality workflows. It replaces the previous combined code evaluation workflow with more modular and advanced workflows for security scanning and code analysis, and introduces new tools for continuous code quality monitoring.

Key changes:

Security and Dependency Workflows

  • Replaces the old .github/workflows/code_evaulation.yml with a new, modular .github/workflows/code_security.yml that splits security checks into separate jobs for KEV Policy, EPSS Policy, and Dependency Review, and ensures these run on all pull requests to the main branch. The new workflow also adds pull-requests: write permissions for better PR integration. [1] [2]

Code Quality Analysis

  • Adds .github/workflows/codeql.yml for advanced CodeQL analysis, enabling automated code scanning for vulnerabilities and errors across multiple languages on pushes, pull requests, and a weekly schedule.
  • Introduces .github/workflows/sonarqube.yml to run SonarQube scans on pushes and pull requests, facilitating continuous code quality monitoring.
  • Adds a sonar-project.properties configuration file for SonarQube, specifying project metadata and settings for SonarCloud integration.

Comment thread .github/workflows/code_evaulation.yml Fixed
Copilot AI review requested due to automatic review settings September 26, 2025 22:07
@github-actions

github-actions Bot commented Sep 26, 2025

Copy link
Copy Markdown

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 1 package(s) with unknown licenses.
See the Details below.

License Issues

.github/workflows/code_security.yml

PackageVersionLicenseIssue Type
advanced-security/dependabot-epss-action0.*.*NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/checkout 5.*.* 🟢 6.8
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Maintained🟢 57 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ -1internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration
SAST🟢 9SAST tool detected but not run on all commits
Vulnerabilities🟢 100 existing vulnerabilities detected
actions/actions/create-github-app-token 2.*.* 🟢 6.6
Details
CheckScoreReason
Maintained🟢 810 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 8
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 5Found 10/19 approved changesets -- score normalized to 5
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies🟢 5dependency not pinned by hash detected -- score normalized to 5
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Packaging🟢 10packaging workflow detected
SAST🟢 7SAST tool is not run on all commits -- score normalized to 7
Vulnerabilities🟢 91 existing vulnerabilities detected
actions/actions/dependency-review-action 4.*.* 🟢 7.9
Details
CheckScoreReason
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 10all changesets reviewed
Maintained🟢 1030 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy🟢 9security policy file detected
Token-Permissions🟢 9detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Pinned-Dependencies⚠️ 2dependency not pinned by hash detected -- score normalized to 2
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
SAST🟢 10SAST tool is run on all commits
Vulnerabilities🟢 91 existing vulnerabilities detected
actions/advanced-security/dependabot-epss-action 0.*.* UnknownUnknown
actions/advanced-security/dependabot-kev-action 0.*.* 🟢 3.9
Details
CheckScoreReason
Dangerous-Workflow⚠️ -1no workflows found
Token-Permissions⚠️ -1No tokens found
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies⚠️ -1no dependencies found
Code-Review⚠️ 0Found 0/17 approved changesets -- score normalized to 0
Binary-Artifacts🟢 10no binaries found in the repo
Security-Policy🟢 10security policy file detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Vulnerabilities🟢 100 existing vulnerabilities detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
actions/actions/checkout 5.*.* 🟢 6.8
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Maintained🟢 57 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ -1internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration
SAST🟢 9SAST tool detected but not run on all commits
Vulnerabilities🟢 100 existing vulnerabilities detected
actions/github/codeql-action/analyze 3.*.* UnknownUnknown
actions/github/codeql-action/init 3.*.* UnknownUnknown
actions/SonarSource/sonarqube-scan-action 6.*.* 🟢 5.9
Details
CheckScoreReason
Code-Review🟢 9Found 23/24 approved changesets -- score normalized to 9
Maintained🟢 68 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 6
Binary-Artifacts🟢 10no binaries found in the repo
Security-Policy🟢 10security policy file detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Vulnerabilities🟢 100 existing vulnerabilities detected
Fuzzing⚠️ 0project is not fuzzed
Packaging⚠️ -1packaging workflow not detected
License🟢 10license file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
actions/actions/checkout 5.*.* 🟢 6.8
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Maintained🟢 57 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ -1internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration
SAST🟢 9SAST tool detected but not run on all commits
Vulnerabilities🟢 100 existing vulnerabilities detected

Scanned Files

  • .github/workflows/code_evaulation.yml
  • .github/workflows/code_security.yml
  • .github/workflows/codeql.yml
  • .github/workflows/sonarqube.yml

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds advanced static code analysis workflows to enhance the repository's security and code quality scanning capabilities. The changes introduce CodeQL analysis for multiple programming languages and restructure the existing code evaluation workflow while preparing for future SonarQube integration.

  • Added a comprehensive CodeQL workflow with multi-language support and configurable analysis modes
  • Refactored the code evaluation workflow to separate concerns into distinct jobs with proper dependency management
  • Added a placeholder for future SonarQube integration to expand code scanning coverage

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
.github/workflows/codeql.yml New CodeQL workflow with multi-language analysis support for security scanning
.github/workflows/code_evaulation.yml Restructured workflow with separated jobs and added SonarQube placeholder

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread .github/workflows/code_security.yml
Comment thread .github/workflows/code_security.yml
Comment thread .github/workflows/code_evaulation.yml Outdated
Comment thread .github/workflows/code_security.yml
Comment thread .github/workflows/code_security.yml Fixed
Copilot AI review requested due to automatic review settings September 26, 2025 22:26

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.


Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread .github/workflows/code_security.yml Outdated
Sonar-Scanning:
name: Sonar Code Scanning
runs-on: ubuntu-latest
steps:

Copilot AI Sep 26, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Sonar-Scanning job only contains a placeholder echo command. Consider removing this job until the actual SonarQube implementation is ready, or add a comment explaining when this will be implemented to avoid confusion.

Suggested change
steps:
steps:
# TODO: Implement SonarQube scanning here. This is a placeholder step.
# Remove this placeholder and add actual SonarQube integration when ready (planned Q3 2024).

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/code_security.yml
Comment thread .github/workflows/code_security.yml Fixed
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings September 26, 2025 22:30

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.


Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread .github/workflows/code_security.yml Outdated
name: Sonar Code Scanning
runs-on: ubuntu-latest
steps:
- run: echo "Future Location of Sonar Cube Scanner" No newline at end of file

Copilot AI Sep 26, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The job name uses 'Sonar-Scanning' but the step comment refers to 'Sonar Cube Scanner'. It should be 'SonarQube' (one word) for consistency with the official product name.

Suggested change
- run: echo "Future Location of Sonar Cube Scanner"
- run: echo "Future Location of SonarQube Scanner"

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/code_security.yml
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings September 26, 2025 22:32

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (1)

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread .github/workflows/code_security.yml Fixed
Copilot AI review requested due to automatic review settings September 26, 2025 23:12

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.


Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread sonar-project.properties
@@ -0,0 +1,14 @@
sonar.projectKey=UWHealth_react-suspended-vulnerable-application
sonar.organization=uwhealth-makerting-tech

Copilot AI Sep 26, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a typo in the organization name: 'makerting' should be 'marketing'.

Suggested change
sonar.organization=uwhealth-makerting-tech
sonar.organization=uwhealth-marketing-tech

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/code_security.yml Fixed
Comment on lines +11 to +20
name: SonarQube
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: SonarQube Scan
uses: SonarSource/sonarqube-scan-action@v6
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} No newline at end of file

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
@moop-moop moop-moop merged commit 0797cc9 into main Sep 26, 2025
5 of 7 checks passed
@moop-moop moop-moop deleted the feature/code-scanning branch September 26, 2025 23:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants