-
Notifications
You must be signed in to change notification settings - Fork 62
111 lines (106 loc) · 3.95 KB
/
codeql.yaml
File metadata and controls
111 lines (106 loc) · 3.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
# Copyright 2025 Chainguard, Inc.
# SPDX-License-Identifier: Apache-2.0
name: "CodeQL Advanced"
on:
pull_request:
push:
branches: ["main"]
schedule:
- cron: "35 23 * * 0"
env:
CODEQL_EXTRACTOR_GO_BUILD_TRACING: "on"
permissions: {}
jobs:
analyze:
if: ${{ github.repository == 'chainguard-dev/malcontent' }}
runs-on: ubuntu-latest-16-core
permissions:
actions: read
contents: read
packages: read
security-events: write
steps:
- uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
with:
egress-policy: audit
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Cache yara-x-capi installation
id: yara-x-capi
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
with:
path: yara-x-install
key: yara-x-capi-v1.12.0-${{ runner.os }}
- name: Checkout virusTotal/yara-x
if: steps.yara-x-capi.outputs.cache-hit != 'true'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
fetch-tags: true
repository: virusTotal/yara-x
path: yara-x
ref: refs/tags/v1.12.0
- name: Install Rust for yara-x-capi
if: steps.yara-x-capi.outputs.cache-hit != 'true'
uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
with:
toolchain: stable
- name: Cache Rust dependencies
if: steps.yara-x-capi.outputs.cache-hit != 'true'
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
with:
path: |
~/.cargo/registry/
~/.cargo/git/
key: rust-cargo-v1.12.0-${{ runner.os }}
restore-keys: rust-cargo-
- name: Build yara-x-capi
if: steps.yara-x-capi.outputs.cache-hit != 'true'
run: |
command -v cargo-cinstall || cargo install cargo-c --locked
cd ${{ github.workspace }}/yara-x
cargo cinstall -p yara-x-capi --features=native-code-serialization --release --pkgconfigdir=${{ github.workspace }}/yara-x-install --includedir=${{ github.workspace }}/yara-x-install --libdir=${{ github.workspace }}/yara-x-install
rm -rf ${{ github.workspace }}/yara-x
- name: Set up Go
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version-file: "go.mod"
check-latest: true
cache: true
- name: Initialize CodeQL
uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
with:
languages: go
build-mode: manual
- run: |
go build -o /dev/null ./...
go test -o /dev/null -c ./...
env:
PKG_CONFIG_PATH: ${{ github.workspace }}/yara-x-install
LD_LIBRARY_PATH: ${{ github.workspace }}/yara-x-install
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
with:
category: "/language:go"
analyze-actions:
if: ${{ github.repository == 'chainguard-dev/malcontent' }}
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
packages: read
security-events: write
steps:
- uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Initialize CodeQL
uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
with:
languages: actions
build-mode: none
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
with:
category: "/language:actions"