microsoft/hve-core
Publicmirrored fromhttps://github.com/microsoft/hve-coreAvailable
.github/workflows/codeql-analysis.yml
57lines · modecode
| 1 | name: CodeQL Security Analysis |
| 2 | |
| 3 | on: |
| 4 | schedule: |
| 5 | # Weekly scan: Sundays at 4 AM UTC |
| 6 | - cron: '0 4 * * 0' |
| 7 | workflow_call: |
| 8 | |
| 9 | permissions: |
| 10 | contents: read |
| 11 | |
| 12 | jobs: |
| 13 | analyze: |
| 14 | name: CodeQL Analysis |
| 15 | runs-on: ubuntu-latest |
| 16 | permissions: |
| 17 | contents: read |
| 18 | security-events: write # Required for SARIF upload to Security tab |
| 19 | actions: read |
| 20 | |
| 21 | strategy: |
| 22 | fail-fast: false |
| 23 | matrix: |
| 24 | # Repository contains GitHub Actions workflows, PowerShell, shell scripts, and Python |
| 25 | # CodeQL supports 'actions' for workflow scanning and 'python' for script analysis |
| 26 | language: [ 'actions', 'python' ] |
| 27 | |
| 28 | steps: |
| 29 | - name: Checkout repository |
| 30 | uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 |
| 31 | with: |
| 32 | persist-credentials: false |
| 33 | |
| 34 | - name: Initialize CodeQL |
| 35 | uses: github/codeql-action/init@ce729e4d353d580e6cacd6a8cf2921b72e5e310a # v3.27.0 |
| 36 | with: |
| 37 | languages: ${{ matrix.language }} |
| 38 | queries: security-extended,security-and-quality |
| 39 | |
| 40 | - name: Autobuild |
| 41 | uses: github/codeql-action/autobuild@ce729e4d353d580e6cacd6a8cf2921b72e5e310a # v3.27.0 |
| 42 | |
| 43 | - name: Perform CodeQL Analysis |
| 44 | uses: github/codeql-action/analyze@ce729e4d353d580e6cacd6a8cf2921b72e5e310a # v3.27.0 |
| 45 | with: |
| 46 | category: "/language:${{ matrix.language }}" |
| 47 | |
| 48 | - name: Add job summary |
| 49 | if: always() |
| 50 | run: | |
| 51 | { |
| 52 | echo "## CodeQL Security Analysis Complete" |
| 53 | echo "**Language:** ${{ matrix.language }}" |
| 54 | echo "**Queries:** security-extended, security-and-quality" |
| 55 | echo "" |
| 56 | echo "📊 View results in the Security tab under Code Scanning" |
| 57 | } >> "$GITHUB_STEP_SUMMARY" |
| 58 | |