hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-08 03:01:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

add workflow with codeql-action

Browse Source
This commit is contained in:
Esben Sparre Andreasen
2021-10-13 11:50:57 +02:00
parent bb3e6399a4
commit 85a35544af
6 changed files with 167 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

160
.github/workflows/codeql-analysis.yml vendored Normal file
View File

@@ -0,0 +1,160 @@
name: "CodeQL"
on:
workflow_dispatch:
push:
branches: [ main ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ main ]
schedule:
- cron: '21 18 * * 5'
jobs:
# XXX this is mostly an inlined copy of the 'build' job in build.yml
build_extractor_pack:
strategy:
matrix:
os: [ubuntu-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v2
- uses: actions/cache@v2
with:
path: |
~/.cargo/registry
~/.cargo/git
target
key: ${{ runner.os }}-rust-cargo-${{ hashFiles('**/Cargo.lock') }}
- name: Check formatting
run: cargo fmt --all -- --check
- name: Build
run: cargo build --verbose
- name: Run tests
run: cargo test --verbose
- name: Release build
run: cargo build --release
- name: Generate dbscheme
run: target/release/ql-generator
- uses: actions/upload-artifact@v2
with:
name: ql.dbscheme
path: ql/src/ql.dbscheme
- uses: actions/upload-artifact@v2
with:
name: TreeSitter.qll
path: ql/src/codeql_ql/ast/internal/TreeSitter.qll
- uses: actions/upload-artifact@v2
with:
name: extractor-${{ matrix.os }}
path: |
target/release/ql-extractor
retention-days: 1
# XXX this is mostly an inlined copy of the 'package' job in build.yml
- run: |
mkdir -p ${PACK_DIR}
env:
PACK_DIR: ${{ runner.temp }}/pack
- name: Pack
working-directory: ${{ runner.temp }}/pack
run: |
mkdir -p ql
cp -r "${CHECKOUT}/codeql-extractor.yml" "${CHECKOUT}/tools" "${CHECKOUT}/ql/src/ql.dbscheme" "${CHECKOUT}/ql/src/ql.dbscheme.stats" ql/
mkdir -p ql/tools/linux64
cp "${CHECKOUT}/target/release/ql-extractor" ql/tools/linux64/extractor
chmod +x ql/tools/linux64/extractor
zip -rq codeql-ql.zip ql
env:
CHECKOUT: ${{ github.workspace }}
- uses: actions/upload-artifact@v2
with:
name: extractor-pack
path: ${{ runner.temp }}/pack/codeql-ql.zip
retention-days: 1
analyze:
name: Analyze
needs: build_extractor_pack
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Download pack
uses: actions/download-artifact@v2
with:
name: extractor-pack
path: ${{ runner.temp }}/extractor-pack-artifact
- name: Unzip pack
run: |
set -x
mkdir "${PACKTMP}"
cd "${PACKTMP}"
unzip "${PACKARTIFACT}/*.zip" -d unzipped
cp -r unzipped/ql "${PACK}"
env:
PACKTMP: ${{ runner.temp }}/extractor-pack-artifact.tmp
PACKARTIFACT: ${{ runner.temp }}/extractor-pack-artifact
PACK: ${{ runner.temp }}/extractor-pack
- name: Checkout repository
uses: actions/checkout@v2
- name: Make config file
run: |
set -x
echo "name: CodeQL config for QL" >> "${CONFIG_FILE}"
echo "" >> "${CONFIG_FILE}"
echo "disable-default-queries: true" >> "${CONFIG_FILE}"
echo "" >> "${CONFIG_FILE}"
echo "queries: " >> "${CONFIG_FILE}"
echo " - name: Standard queries" >> "${CONFIG_FILE}"
echo " uses: ${SUITE}" >> "${CONFIG_FILE}"
cat "${CONFIG_FILE}"
env:
SUITE: ./ql/src/codeql-suites/ql-code-scanning.qls
CONFIG_FILE: ./.custom-codeql-actions-config.yml
- name: Hack codeql-action options
run: |
JSON=$(jq -nc --arg pack "${PACK}" '.resolve.extractor=["--search-path", $pack] | .database.init=["--search-path", $pack]')
echo "CODEQL_ACTION_EXTRA_OPTIONS=${JSON}" >> ${GITHUB_ENV}
env:
PACK: ${{ runner.temp }}/extractor-pack
- name: Initialize CodeQL
uses: github/codeql-action/init@esbena/ql
with:
languages: ql
db-location: ${{ runner.temp }}/db
config-file: ./.custom-codeql-actions-config.yml
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@esbena/ql
with:
results: ${{ runner.temp }}/results
add-snippets: true
- name: Upload db
uses: actions/upload-artifact@v2
with:
name: db
path: ${{ runner.temp }}/db
retention-days: 1
- name: Upload results
uses: actions/upload-artifact@v2
with:
name: results
path: ${{ runner.temp }}/results
retention-days: 1

10
ql/src/codeql-suites/ql-code-scanning.qls
View File

@@ -1,4 +1,8 @@
- description: Standard Code Scanning queries for QL
- qlpack: codeql-ql
- apply: code-scanning-selectors.yml
from: codeql-suite-helpers
- queries: .
- include:
kind:
- problem
- path-problem
- alert
- path-alert

11
ql/src/codeql-suites/ql-lgtm-full.qls
View File

@@ -1,11 +0,0 @@
- description: Standard LGTM queries for QL, including ones not displayed by default
- qlpack: codeql-ql
- apply: lgtm-selectors.yml
from: codeql-suite-helpers
# These are only for IDE use.
- exclude:
tags contain:
- ide-contextual-queries/local-definitions
- ide-contextual-queries/local-references
- query: Metrics/FLinesOfCode.ql

4
ql/src/codeql-suites/ql-lgtm.qls
View File

@@ -1,4 +0,0 @@
- description: Standard LGTM queries for QL
- apply: codeql-suites/ql-lgtm-full.qls
- apply: lgtm-displayed-only.yml
from: codeql-suite-helpers

4
ql/src/codeql-suites/ql-security-and-quality.qls
View File

@@ -1,4 +0,0 @@
- description: Security-and-quality queries for QL
- qlpack: codeql-ql
- apply: security-and-quality-selectors.yml
from: codeql-suite-helpers

4
ql/src/codeql-suites/ql-security-extended.qls
View File

@@ -1,4 +0,0 @@
- description: Security-extended queries for QL
- qlpack: codeql-ql
- apply: security-extended-selectors.yml
from: codeql-suite-helpers