From 11dd693c13b34c13d81121c37824cdc3201d1252 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Wed, 18 Oct 2023 20:59:01 +0200 Subject: [PATCH] chore: add codeql MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- .github/workflows/codeql.yaml | 53 +++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 .github/workflows/codeql.yaml diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml new file mode 100644 index 00000000..f8b4eb2d --- /dev/null +++ b/.github/workflows/codeql.yaml @@ -0,0 +1,53 @@ +name: CodeQL + +on: + pull_request: + branches: + - main + push: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + actions: read + contents: read + security-events: write + +jobs: + scan: + runs-on: ubuntu-latest + steps: + - name: Free disk space + uses: jlumbroso/free-disk-space@f68fdb76e2ea636224182cfb7377ff9a1708f9b8 # v1.3.0 + with: + tool-cache: true + android: true + dotnet: true + haskell: true + large-packages: false + docker-images: true + swap-storage: false + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.12.0 + with: + scan-type: fs + ignore-unfixed: false + format: sarif + output: trivy-results.sarif + severity: CRITICAL,HIGH,MEDIUM + scanners: vuln,secret + exit-code: '1' + vuln-type: os,library + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 + with: + sarif_file: trivy-results.sarif + category: code