CodeQL #299
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CodeQL | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| # Weekly scan on Sunday at midnight UTC — catches newly published CVEs | |
| # against existing code between releases. | |
| - cron: '0 0 * * 0' | |
| permissions: | |
| contents: read | |
| jobs: | |
| analyze: | |
| name: CodeQL | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| # GitHub uses "javascript" as the CodeQL language identifier for both | |
| # JavaScript and TypeScript. build-mode: none means CodeQL analyses | |
| # the source directly without needing a compilation step. | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 | |
| with: | |
| languages: javascript | |
| build-mode: none | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 | |
| with: | |
| category: codeql | |
| output: codeql-results.sarif | |
| # Fail the job (and block merge) if any error-level (HIGH/CRITICAL) findings exist. | |
| # warning-level (MEDIUM) findings are reported to the Security tab but do not block. | |
| # The analyze action writes one SARIF file per language into the output directory. | |
| # For this repo the language is javascript (covers TypeScript too). | |
| - name: Fail on HIGH/CRITICAL SAST findings | |
| run: | | |
| COUNT=$(jq '[.runs[].results[] | select(.level == "error")] | length' codeql-results.sarif/javascript.sarif) | |
| echo "Error-level CodeQL findings: ${COUNT}" | |
| if [ "${COUNT}" -gt 0 ]; then | |
| echo "::error::${COUNT} HIGH/CRITICAL CodeQL finding(s) must be resolved before merge" | |
| exit 1 | |
| fi |