diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml index 88d151e9ae3..6009c69c169 100644 --- a/.github/codeql/codeql-config.yml +++ b/.github/codeql/codeql-config.yml @@ -10,12 +10,19 @@ # # SPDX-License-Identifier: Apache-2.0 # ******************************************************************************* -name: "Custom CodeQL Configuration for MISRA" -paths: - - repos +name: "Custom CodeQL Configuration for MISRA (Manual Build)" + +# With build-mode: manual, CodeQL only analyzes files that were compiled. +# The paths/paths-ignore act as FILTERS on compiled files, not scan directives. +# Keep this minimal - CodeQL automatically captures everything built by Bazel. + +# Only analyze production code (exclude test/mock code from results) paths-ignore: - "**/*test*" - "**/*mock*" - "**/test/**" + - "**/tests/**" - "**/mock/**" + - "**/examples/**" - "**/codeql-coding-standards-repo/**" + - "**/bazel-*/**" diff --git a/.github/workflows/codeql-multiple-repo-scan.yml b/.github/workflows/codeql-multiple-repo-scan.yml index a22531153b2..10a9b8fdae0 100644 --- a/.github/workflows/codeql-multiple-repo-scan.yml +++ b/.github/workflows/codeql-multiple-repo-scan.yml @@ -40,38 +40,56 @@ jobs: steps: - name: Checkout central repository uses: actions/checkout@v4 - - name: Checkout CodeQL Coding Standards scripts - uses: actions/checkout@v4 - with: - repository: github/codeql-coding-standards - path: codeql-coding-standards-repo # Klonen in diesen Ordner - ref: main # Oder eine spezifische Release-Version, z.B. 'v2.53.0-dev' # Add coding standard packages and dependencies - name: Install Python dependencies for Coding Standards scripts run: | python3 -m pip install --upgrade pip pip3 install pyyaml jsonpath-ng jsonschema jsonpatch jsonpointer pytest sarif-tools - - name: Parse known_good.json and create repos.json - id: parse-repos - run: | - scripts/workflow/parse_repos.sh - - name: Checkout all pinned repositories - id: checkout-repos - run: | - scripts/workflow/checkout_repos.sh + # - name: Parse known_good.json and create repos.json + # id: parse-repos + # run: | + # scripts/workflow/parse_repos.sh + # - name: Checkout all pinned repositories + # id: checkout-repos + # run: | + # scripts/workflow/checkout_repos.sh + - name: Setup Bazel + uses: bazel-contrib/setup-bazel@0.15.0 + with: + # Avoid downloading Bazel every time. + bazelisk-cache: true + # Store build cache per workflow. + disk-cache: codeql-scan + # Share repository cache between workflows. + repository-cache: true - name: Initialize CodeQL for all repositories uses: github/codeql-action/init@v4 with: languages: cpp - build-mode: none - packs: codeql/misra-cpp-coding-standards + build-mode: manual + packs: codeql/misra-cpp-coding-standards@2.53.0 config-file: ./.github/codeql/codeql-config.yml + - name: Build all components with Bazel + run: | + echo "Building all C++ and Rust targets for CodeQL analysis" + # Build all targets from the checked-out repositories + # This ensures CodeQL captures the compilation database + bazel build --verbose_failures --config=linux-x86_64 \ + @score_lifecycle_health//src/... \ + @score_logging//score/... \ + || true # Continue even if some targets fail - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 with: upload-database: false # Don't upload databases for each repo output: sarif-results/ category: "multi-repo-scan" + - name: Checkout CodeQL Coding Standards scripts + uses: actions/checkout@v4 + with: + repository: github/codeql-coding-standards + path: codeql-coding-standards-repo # Klonen in diesen Ordner + ref: main # Oder eine spezifische Release-Version, z.B. 'v2.53.0-dev' - name: Recategorize Guidelines if: always() run: |