| name: "CodeQL" |
| |
| on: |
| push: |
| branches: ["master"] |
| pull_request: |
| branches: ["master"] |
| schedule: |
| # Run every Monday at midnight |
| - cron: "0 0 * * 1" |
| |
| permissions: |
| contents: read |
| |
| jobs: |
| analyze: |
| name: Analyze |
| runs-on: ubuntu-latest |
| permissions: |
| actions: read |
| contents: read |
| security-events: write |
| |
| strategy: |
| fail-fast: false |
| matrix: |
| language: ["cpp", "python"] |
| |
| steps: |
| - name: Checkout repository |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
| |
| - name: Initialize CodeQL |
| uses: github/codeql-action/init@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 |
| with: |
| languages: ${{ matrix.language }} |
| |
| - name: Autobuild |
| uses: github/codeql-action/autobuild@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 |
| |
| - name: Perform CodeQL Analysis |
| uses: github/codeql-action/analyze@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 |
| with: |
| category: "/language:${{matrix.language}}" |
| |
| - name: Generate CodeQL Security Report |
| uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4 |
| with: |
| template: report |
| token: ${{ secrets.GITHUB_TOKEN }} |
| |
| - name: Upload CodeQL Security Report |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 |
| with: |
| name: codeql-report-${{ matrix.language }} |
| path: report.pdf |
| |
| analyze_rust: |
| name: Analyze (Rust) |
| runs-on: ubuntu-latest |
| permissions: |
| contents: read |
| security-events: write |
| steps: |
| - name: Checkout repository |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
| |
| - name: Install clippy |
| run: rustup component add clippy |
| |
| - name: Install cargo-binstall |
| uses: cargo-bins/cargo-binstall@ec80feb9e330418e014932e5982599255eff6dbb # 1.17.4 |
| |
| - name: Install dependencies |
| run: cargo binstall --no-confirm clippy-sarif sarif-fmt |
| |
| - name: Run clippy |
| working-directory: rust |
| run: | |
| cargo clippy --all-features --message-format=json > clippy.json |
| sed --in-place 's/"file_name":"itt/"file_name":"rust\/itt/g' clippy.json |
| clippy-sarif --input clippy.json --output clippy.sarif |
| continue-on-error: true |
| |
| - name: Print SARIF |
| run: sarif-fmt --input rust/clippy.sarif |
| |
| - name: Upload analysis |
| uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 |
| with: |
| sarif_file: rust/clippy.sarif |
| wait-for-processing: true |
| |
| analyze_bandit: |
| name: Analyze (Bandit Scan) |
| runs-on: ubuntu-latest |
| permissions: |
| actions: read |
| contents: read |
| security-events: write |
| |
| steps: |
| - name: Install dependencies |
| run: pip install sarif-tools |
| |
| - name: Perform Bandit Analysis |
| uses: PyCQA/bandit-action@67a458d90fa11fb1463e91e7f4c8f068b5863c7f # v1.0.1 |
| continue-on-error: true |
| with: |
| targets: "python" |
| |
| - name: Convert SARIF report to HTML |
| run: sarif html --output bandit-report.html results.sarif |
| |
| - name: Upload Bandit Scan report |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 |
| with: |
| name: bandit-report |
| path: bandit-report.html |
