-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(ci): scan GitHub actions using CodeQL (#61)
* chore(ci): scan GitHub actions using CodeQL New CodeQL feature! It now scans Actions and Workflows. J:DEF-160
- Loading branch information
1 parent
2fe91ab
commit 2078db9
Showing
7 changed files
with
76 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| name: "CodeQL (Actions)" | ||
|
|
||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| runs-on: | ||
| description: | | ||
| The type of machine to run the job on. Must be provided as a stringified list (e.g. public repos should specify `runs-on: '["ubuntu-latest"]'`) | ||
| default: '["coveo", "arm64" , "linux", "eks"]' | ||
| type: string | ||
|
|
||
| permissions: { } | ||
|
|
||
| jobs: | ||
| analyze-actions: | ||
| name: Analyze Actions | ||
|
|
||
| runs-on: ${{ fromJson(inputs.runs-on) }} | ||
|
|
||
| permissions: | ||
| actions: read | ||
| contents: read | ||
| security-events: write | ||
|
|
||
| steps: | ||
| - name: Harden Runner | ||
| uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | ||
| with: | ||
| egress-policy: audit | ||
|
|
||
| - name: Checkout repository | ||
| uses: actions/[email protected] | ||
|
|
||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 | ||
| with: | ||
| languages: actions | ||
|
|
||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 | ||
| with: | ||
| category: "/language:actions" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -62,16 +62,16 @@ jobs: | |
| egress-policy: audit | ||
|
|
||
| - name: Checkout scan target | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| uses: actions/[email protected] | ||
|
|
||
| - name: Checkout licenses | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| uses: actions/[email protected] | ||
| with: | ||
| repository: coveo/dependency-allowed-licenses | ||
| path: coveo-dependency-allowed-licenses | ||
|
|
||
| - name: Get Properties | ||
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | ||
| uses: actions/[email protected] | ||
| id: get-properties | ||
| with: | ||
| script: | | ||
|
|
@@ -100,7 +100,7 @@ jobs: | |
| - name: Select configuration | ||
| id: select-config | ||
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | ||
| uses: actions/[email protected] | ||
| with: | ||
| result-encoding: string | ||
| script: | | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -68,17 +68,17 @@ jobs: | |
| egress-policy: audit | ||
|
|
||
| - name: Checkout scan target | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| uses: actions/[email protected] | ||
|
|
||
| - name: Checkout licenses | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| uses: actions/[email protected] | ||
| with: | ||
| repository: coveo/dependency-allowed-licenses | ||
| path: coveo-dependency-allowed-licenses | ||
|
|
||
| - name: Select configuration | ||
| id: select-config | ||
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | ||
| uses: actions/[email protected] | ||
| env: | ||
| INPUTS: ${{ toJSON(inputs) }} | ||
| with: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -56,15 +56,15 @@ jobs: | |
| - run: echo "HOME=/root" >> $GITHUB_ENV | ||
|
|
||
| - name: Checkout repository | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| uses: actions/[email protected] | ||
|
|
||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 | ||
| with: | ||
| languages: java | ||
|
|
||
| - name: Cache maven dependencies | ||
| uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 | ||
| uses: actions/[email protected] | ||
| with: | ||
| path: ~/.m2 | ||
| key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -55,10 +55,10 @@ jobs: | |
| egress-policy: audit | ||
|
|
||
| - name: Checkout repository | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| uses: actions/[email protected] | ||
|
|
||
| - name: Cache maven dependencies | ||
| uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 | ||
| uses: actions/[email protected] | ||
| with: | ||
| path: ~/.m2 | ||
| key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| name: Test CodeQL for Actions | ||
|
|
||
| on: | ||
| pull_request: | ||
|
|
||
| push: | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: {} | ||
|
|
||
| jobs: | ||
| test: | ||
| permissions: | ||
| actions: read | ||
| contents: read | ||
| security-events: write | ||
|
|
||
| uses: ./.github/workflows/actions-codeql.yml | ||
| with: | ||
| runs-on: '["ubuntu-latest"]' |