Changed GitHub workflows to enable manually running CodeQL and Coveri… #23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CodeQL | |
# https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning | |
on: | |
push: | |
branches: ["static-analysis"] | |
paths-ignore: | |
- '.gitignore' | |
- '.gitattributes' | |
- '**.txt' | |
- '**.md' | |
- '**.rc' | |
workflow_dispatch: | |
# pull_request: | |
# The branches below must be a subset of the branches above | |
# branches: ["static-analysis"] | |
#schedule: | |
# - cron: '45 2 * * 0' | |
jobs: | |
analyze: | |
name: Analyze | |
runs-on: ubuntu-22.04 | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
strategy: | |
fail-fast: false | |
matrix: | |
language: [ 'cpp' ] | |
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] | |
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v3 | |
- name: Install prerequisites | |
run: | | |
lsb_release -d | |
sudo add-apt-repository universe && sudo sudo apt-get -qq update | |
sudo apt install -yq --no-install-recommends ninja-build gcc-12 g++-12 > /dev/null | |
sudo apt install -yq --no-install-recommends mariadb-client libmariadb-dev | |
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 90 --slave /usr/bin/g++ g++ /usr/bin/g++-12 | |
- name: Report building tools | |
run: | | |
echo "GCC:" && gcc -v | |
echo && echo "CMake:" && cmake --version | |
echo && echo "Ninja:" && ninja --version | |
# Initializes the CodeQL tools for scanning. | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v2 | |
with: | |
languages: ${{ matrix.language }} | |
config-file: ./.github/codeql/codeql-config.yml | |
queries: +security-extended,security-and-quality | |
packs: +codeql/cpp-queries | |
# If you wish to specify custom queries, you can do so here or in a config file. | |
# By default, queries listed here will override any specified in a config file. | |
# Prefix the list here with "+" to use these queries and those in the config file. | |
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs | |
# queries: security-extended,security-and-quality | |
# c++ queries: https://codeql.github.com/codeql-query-help/cpp-cwe/ | |
# ℹ️ Command-line programs to run using the OS shell. | |
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun | |
# Build the code | |
- name: CMake | |
run: | | |
mkdir -p build | |
cmake -G "Unix Makefiles" -DCMAKE_BUILD_TYPE="Nightly" -DCMAKE_TOOLCHAIN_FILE=cmake/toolchains/Linux-GNU-x86_64.cmake -S ./ -B ./build | |
- name: Compilation | |
run: cd build && make -j$(nproc) | |
# We need now to exclude from the analysis the 3rd party library code. | |
# https://josh-ops.com/posts/github-codeql-ignore-files/ | |
# https://github.com/advanced-security/filter-sarif | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v2 | |
with: | |
category: "/language:${{matrix.language}}" | |
upload: false # disable the upload here - we will upload in a different action | |
output: sarif-results | |
- name: filter-sarif | |
uses: advanced-security/filter-sarif@v1 | |
with: | |
patterns: | | |
-lib/** | |
input: sarif-results/${{ matrix.language }}.sarif | |
output: sarif-results/${{ matrix.language }}.sarif | |
- name: Upload SARIF | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: sarif-results/${{ matrix.language }}.sarif |