-
-
Notifications
You must be signed in to change notification settings - Fork 3
80 lines (72 loc) · 3.28 KB
/
codeql.yml
File metadata and controls
80 lines (72 loc) · 3.28 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
name: codeql
# CodeQL code scanning (GitHub's static-analysis / variant-analysis engine).
# Scans the Rust core crate, the PyO3 Python bindings, and the GitHub Actions
# workflows themselves, surfacing security findings as code-scanning alerts.
#
# build-mode: none — CodeQL's Rust support and build-less ("no-build") database
# creation are GA (CodeQL >= 2.23.3). Rust, Python, and `actions` are all
# analysed WITHOUT a compiler/interpreter run, so no `cargo build` (and no
# MSRV toolchain) is needed here; the database is built directly from source.
# This keeps the scan fast and independent of the build matrix.
#
# Least-privilege permissions: `security-events: write` is the only elevated
# scope (required to upload SARIF / publish alerts); `contents: read` +
# `actions: read` are read-only. Nothing else is granted.
#
# Because this workflow runs UNATTENDED on a cron schedule AND holds
# `security-events: write`, every third-party action is SHA-pinned (immutable)
# — a compromised mutable tag (@v4/@v6) cannot auto-execute on a scheduled,
# write-scoped runner. harden-runner audits egress as the first step.
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
# Weekly. Wednesday 07:42 UTC — deliberately off the audit.yml slot
# (Monday 06:17 UTC) so the two scheduled scans never collide.
- cron: "42 7 * * 3"
# Least-privilege: read-only at the workflow level; the analyze job elevates to
# security-events: write (the minimum CodeQL needs to publish alerts).
permissions:
contents: read
concurrency:
group: codeql-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
analyze:
name: analyze (${{ matrix.language }})
runs-on: ubuntu-latest
# Skip CodeQL on PRs from forks: a forked PR gets a read-only GITHUB_TOKEN,
# so the SARIF upload (needs security-events: write) can't succeed and would
# fail noisily. push-to-main + the weekly schedule still scan everything that
# lands, and same-repo PRs still get PR-time scanning. (CodeQL is also not a
# required status check, so a fork PR is never blocked either way.)
if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
permissions:
security-events: write # upload SARIF / publish code-scanning alerts
contents: read # checkout source
actions: read # read workflow run metadata (required by CodeQL)
strategy:
fail-fast: false
matrix:
language: [rust, python, actions]
steps:
- name: Harden runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Initialize CodeQL
uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
with:
languages: ${{ matrix.language }}
# No-build database creation (GA for rust/python/actions).
build-mode: none
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
with:
category: "/language:${{ matrix.language }}"