64c51ba295
Security compliance - SHA pinning for all actions. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
86 lines
2.8 KiB
YAML
86 lines
2.8 KiB
YAML
name: 🔍 BlackRoad CodeQL Security Analysis
|
|
|
|
on:
|
|
push:
|
|
branches: [ main, master, develop ]
|
|
pull_request:
|
|
branches: [ main, master, develop ]
|
|
schedule:
|
|
# Run at 4 AM UTC every Monday (10 PM CST Sunday)
|
|
- cron: '0 4 * * 1'
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
actions: read
|
|
contents: read
|
|
security-events: write
|
|
|
|
jobs:
|
|
analyze:
|
|
name: CodeQL Analysis
|
|
runs-on: ubuntu-latest
|
|
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
# Override auto-detection and specify languages manually
|
|
# Supported: 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift'
|
|
language: [ 'javascript', 'python' ]
|
|
|
|
steps:
|
|
- name: 📥 Checkout Repository
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
|
|
|
|
- name: 🔍 Initialize CodeQL
|
|
uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f
|
|
with:
|
|
languages: ${{ matrix.language }}
|
|
# Auto-build for compiled languages
|
|
# For interpreted languages (JS, Python, Ruby), this is not needed
|
|
queries: +security-and-quality
|
|
|
|
- name: 🏗️ Autobuild
|
|
uses: github/codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f
|
|
# Only needed for compiled languages like Java, C++, C#, Go, Swift
|
|
# For JavaScript and Python, CodeQL analyzes without building
|
|
|
|
- name: 🔒 Perform CodeQL Analysis
|
|
uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f
|
|
with:
|
|
category: "/language:${{matrix.language}}"
|
|
|
|
- name: 📊 Upload Results
|
|
if: always()
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: codeql-results-${{ matrix.language }}
|
|
path: |
|
|
**/results/*.sarif
|
|
**/results/*.csv
|
|
retention-days: 30
|
|
|
|
- name: 📝 Create Issue on Failure
|
|
if: failure()
|
|
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
|
|
with:
|
|
script: |
|
|
const issue = await github.rest.issues.create({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
title: '🔒 CodeQL Security Analysis Failed',
|
|
body: `## CodeQL Analysis Failed
|
|
|
|
**Language:** ${{ matrix.language }}
|
|
**Workflow:** ${context.workflow}
|
|
**Run:** ${context.runId}
|
|
**URL:** https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}
|
|
|
|
Please review the security findings and address any critical vulnerabilities.
|
|
|
|
---
|
|
© 2025-2026 BlackRoad OS, Inc.
|
|
`,
|
|
labels: ['security', 'codeql', 'automated']
|
|
});
|
|
console.log('Created issue:', issue.data.number);
|