Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions .github/workflows/Build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,14 @@ on:
- 'master'
- 'beta'
- 'release-*'
workflow_run:
workflows: ["CodeQL"]
types:
- completed
branches:
- 'master'
- 'beta'
- 'release-*'

jobs:
build:
Expand All @@ -38,6 +46,34 @@ jobs:
uses: actions/checkout@v3
with:
fetch-depth: 0

- name: Check for CodeQL high severity issues
if: github.event_name == 'workflow_run' && github.event.workflow_run.name == 'CodeQL'
run: |
# First check if the CodeQL workflow was successful
if ("${{ github.event.workflow_run.conclusion }}" -ne "success") {
Write-Error "CodeQL workflow did not complete successfully. Please check the CodeQL analysis for errors."
exit 1
}

# Download artifact containing the flag file
$CodeQLWorkflowRunID = "${{ github.event.workflow_run.id }}"
$REPO = "${{ github.repository }}"
$TOKEN = "${{ github.token }}"

$artifactsListUrl = "https://api.github.com/repos/$REPO/actions/runs/$CodeQLWorkflowRunID/artifacts"
Write-Output "Fetching artifacts from $artifactsListUrl"

$artifactsList = Invoke-RestMethod -Uri $artifactsListUrl -Headers @{Authorization = "Bearer $TOKEN"}

foreach ($artifact in $artifactsList.artifacts) {
if ($artifact.name -eq "codeql_high_severity_found") {
Write-Error "CodeQL analysis found high severity security issues. Please fix the security vulnerabilities before proceeding."
exit 1
}
}

Write-Output "No high severity issues found in CodeQL analysis. Build can proceed."

- name: Install .NET 8
uses: actions/setup-dotnet@v3
Expand Down
38 changes: 38 additions & 0 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -84,3 +84,41 @@ jobs:
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
output: sarif-results

- name: Upload SARIF results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: sarif-results
wait-for-processing: true

- name: Check for high severity alerts
id: check_alerts
run: |
$highSeverityFound = $false
Get-ChildItem "sarif-results" -Recurse -Filter "*.sarif" | ForEach-Object {
$sarif = Get-Content $_.FullName | ConvertFrom-Json
foreach ($run in $sarif.runs) {
foreach ($result in $run.results) {
$severity = $result.properties.security-severity
if ($severity -ge 8.0) {
Write-Output "High severity vulnerability found: $($result.message.text)"
$highSeverityFound = $true
}
}
}
}

echo "high_severity_found=$highSeverityFound" >> $env:GITHUB_OUTPUT

- name: Create high severity flag file
if: steps.check_alerts.outputs.high_severity_found == 'true'
run: |
New-Item -Path "codeql_high_severity_found" -ItemType File -Force

- name: Upload flag file as artifact
if: steps.check_alerts.outputs.high_severity_found == 'true'
uses: actions/upload-artifact@v4
with:
name: codeql_high_severity_found
path: codeql_high_severity_found
Loading