Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 10 additions & 3 deletions .github/codeql/codeql-config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,19 @@
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************
name: "Custom CodeQL Configuration for MISRA"
paths:
- repos
name: "Custom CodeQL Configuration for MISRA (Manual Build)"

# With build-mode: manual, CodeQL only analyzes files that were compiled.
# The paths/paths-ignore act as FILTERS on compiled files, not scan directives.
# Keep this minimal - CodeQL automatically captures everything built by Bazel.

# Only analyze production code (exclude test/mock code from results)
paths-ignore:
- "**/*test*"
- "**/*mock*"
- "**/test/**"
- "**/tests/**"
- "**/mock/**"
- "**/examples/**"
- "**/codeql-coding-standards-repo/**"
- "**/bazel-*/**"
50 changes: 34 additions & 16 deletions .github/workflows/codeql-multiple-repo-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,38 +40,56 @@ jobs:
steps:
- name: Checkout central repository
uses: actions/checkout@v4
- name: Checkout CodeQL Coding Standards scripts
uses: actions/checkout@v4
with:
repository: github/codeql-coding-standards
path: codeql-coding-standards-repo # Klonen in diesen Ordner
ref: main # Oder eine spezifische Release-Version, z.B. 'v2.53.0-dev'
# Add coding standard packages and dependencies
- name: Install Python dependencies for Coding Standards scripts
run: |
python3 -m pip install --upgrade pip
pip3 install pyyaml jsonpath-ng jsonschema jsonpatch jsonpointer pytest sarif-tools
- name: Parse known_good.json and create repos.json
id: parse-repos
run: |
scripts/workflow/parse_repos.sh
- name: Checkout all pinned repositories
id: checkout-repos
run: |
scripts/workflow/checkout_repos.sh
# - name: Parse known_good.json and create repos.json
# id: parse-repos
# run: |
# scripts/workflow/parse_repos.sh
# - name: Checkout all pinned repositories
# id: checkout-repos
# run: |
# scripts/workflow/checkout_repos.sh
- name: Setup Bazel
uses: bazel-contrib/setup-bazel@0.15.0
with:
# Avoid downloading Bazel every time.
bazelisk-cache: true
# Store build cache per workflow.
disk-cache: codeql-scan
# Share repository cache between workflows.
repository-cache: true
- name: Initialize CodeQL for all repositories
uses: github/codeql-action/init@v4
with:
languages: cpp
build-mode: none
packs: codeql/misra-cpp-coding-standards
build-mode: manual
packs: codeql/misra-cpp-coding-standards@2.53.0
config-file: ./.github/codeql/codeql-config.yml
- name: Build all components with Bazel
run: |
echo "Building all C++ and Rust targets for CodeQL analysis"
# Build all targets from the checked-out repositories
# This ensures CodeQL captures the compilation database
bazel build --verbose_failures --config=linux-x86_64 \
@score_lifecycle_health//src/... \
@score_logging//score/... \
|| true # Continue even if some targets fail
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
upload-database: false # Don't upload databases for each repo
output: sarif-results/
category: "multi-repo-scan"
- name: Checkout CodeQL Coding Standards scripts
uses: actions/checkout@v4
with:
repository: github/codeql-coding-standards
path: codeql-coding-standards-repo # Klonen in diesen Ordner
ref: main # Oder eine spezifische Release-Version, z.B. 'v2.53.0-dev'
- name: Recategorize Guidelines
if: always()
run: |
Expand Down
Loading