Actions for running CodeQL analysis
Перейти к файлу
Marco Gario a6c8729a5d
Merge pull request #2614 from github/marcogario/per-platform-proxy
Start-proxy: Fetch OS specific binary
2024-11-19 20:06:00 +01:00
.github Upgrade actions/upload-artifact to v4 2024-11-12 20:50:14 -05:00
.vscode VSCode settings: set default formatter for TS 2023-10-27 17:21:58 +01:00
actions-extractor chmod +x 2024-11-07 15:18:06 -05:00
analyze Add a warning to not specify a `token` input in most cases. 2024-09-13 15:48:32 +01:00
autobuild Update autobuild/action.yml 2024-10-03 18:32:01 -07:00
init Add `dependency-caching` input to Action 2024-10-29 12:06:17 +00:00
lib Start-proxy: Fetch OS specific binary 2024-11-19 14:48:04 +00:00
node_modules Update checked-in dependencies 2024-11-18 22:32:42 +00:00
pr-checks Upgrade actions/upload-artifact to v4 2024-11-12 20:50:14 -05:00
python-setup Restore `python-setup/check_python12.ps1` 2024-04-08 10:22:09 +02:00
queries Internal queries: Replace deprecated predicates 2024-01-24 12:14:58 +00:00
resolve-environment Document `action.inputs.token` (#2110) 2024-02-08 09:45:27 +00:00
src Start-proxy: Fetch OS specific binary 2024-11-19 14:48:04 +00:00
start-proxy fixes 2024-08-15 12:23:22 +00:00
tests Exclude Swift on macos for version 2.14.6 2024-11-07 16:06:21 -08:00
upload-sarif Add a warning to not specify a `token` input in most cases. 2024-09-13 15:48:32 +01:00
.editorconfig Add a `.editorconfig` with our chosen formatting options. 2020-06-23 14:38:30 +01:00
.git-blame-ignore-revs Ignore prior commit in git blame 2023-07-25 17:59:56 +02:00
.gitattributes Refactor PR checks 2021-09-08 13:59:52 +01:00
.gitignore Stop tracking `tsconfig.tsbuildinfo` 2024-09-23 09:47:18 -07:00
.npmrc Add config file to support npm v8 and v9 simultaneously 2022-11-14 22:15:08 +00:00
.pre-commit-config.yaml Add pre-commit configuration 2023-10-26 11:03:40 +02:00
CHANGELOG.md Update changelog and version after v3.27.4 2024-11-14 14:13:04 +00:00
CODEOWNERS Delete `python-setup/` 2024-04-04 17:16:05 +02:00
CODE_OF_CONDUCT.md Initial commit (from f5274cbdce4ae7c9e4b937dcdf95ac70ae436d5f) 2020-04-28 17:23:37 +02:00
CONTRIBUTING.md Add a compatibility table to the README 2024-05-07 13:58:01 -07:00
LICENSE Initial commit (from f5274cbdce4ae7c9e4b937dcdf95ac70ae436d5f) 2020-04-28 17:23:37 +02:00
README.md Update supported GHES versions table 2024-10-16 10:53:08 +01:00
action.yml Update action.yml 2024-10-29 14:21:39 -07:00
eslint.config.mjs Fix eslint configuration 2024-07-16 15:13:51 -07:00
package-lock.json Bump cross-spawn from 7.0.3 to 7.0.6 in the npm_and_yarn group 2024-11-18 22:31:19 +00:00
package.json Bump the npm group with 4 updates 2024-11-18 17:43:16 +00:00
tsconfig.json Upgrade TypeScript to 9.2.0 2023-01-18 20:59:57 +00:00

README.md

CodeQL Action

This action runs GitHub's industry-leading semantic code analysis engine, CodeQL, against a repository's source code to find security vulnerabilities. It then automatically uploads the results to GitHub so they can be displayed on pull requests and in the repository's security tab. CodeQL runs an extensible set of queries, which have been developed by the community and the GitHub Security Lab to find common vulnerabilities in your code.

For a list of recent changes, see the CodeQL Action's changelog.

License

This project is released under the MIT License.

The underlying CodeQL CLI, used in this action, is licensed under the GitHub CodeQL Terms and Conditions. As such, this action may be used on open source projects hosted on GitHub, and on private repositories that are owned by an organisation with GitHub Advanced Security enabled.

Usage

We recommend using default setup to configure CodeQL analysis for your repository. For more information, see "Configuring default setup for code scanning."

You can also configure advanced setup for a repository to find security vulnerabilities in your code using a highly customizable code scanning configuration. For more information, see "Configuring advanced setup for code scanning" and "Customizing your advanced setup for code scanning."

Actions

This repository contains several actions that enable you to analyze code in your repository using CodeQL and upload the analysis to GitHub Code Scanning. Actions in this repository also allow you to upload to GitHub analyses generated by any SARIF-producing SAST tool.

Actions for CodeQL analyses:

  • init: Sets up CodeQL for analysis. For information about input parameters, see the init action definition.
  • analyze: Finalizes the CodeQL database, runs the analysis, and uploads the results to Code Scanning. For information about input parameters, see the analyze action definition.

Actions for uploading analyses generated by third-party tools:

  • upload-sarif: Uploads a SARIF file to Code Scanning. If you are using the analyze action, there is no reason to use this action as well. For information about input parameters, see the upload-sarif action definition.

Actions with special purposes and unlikely to be used directly:

  • autobuild: Attempts to automatically build the code. Only used for analyzing languages that require a build. Use the build-mode: autobuild input in the init action instead. For information about input parameters, see the autobuild action definition.
  • resolve-environment: [Experimental] Attempts to infer a build environment suitable for automatic builds. For information about input parameters, see the resolve-environment action definition.
  • start-proxy: [Experimental] Start the HTTP proxy server. Internal use only and will change without notice. For information about input parameters, see the start-proxy action definition.

Workflow Permissions

All advanced setup code scanning workflows must have the security-events: write permission. Workflows in private repositories must additionally have the contents: read permission. For more information, see "Assigning permissions to jobs."

Build Modes

The CodeQL Action supports different build modes for analyzing the source code. The available build modes are:

  • none: The database will be created without building the source code. Available for all interpreted languages and some compiled languages.
  • autobuild: The database will be created by attempting to automatically build the source code. Available for all compiled languages.
  • manual: The database will be created by building the source code using a manually specified build command. To use this build mode, specify manual build steps in your workflow between the init and analyze steps. Available for all compiled languages.

Which build mode should I use?

Interpreted languages must use none for the build mode.

For compiled languages:

  • manual build mode will typically produce the most precise results, but it is more difficult to set up and will cause the analysis to take slightly more time to run.
  • autobuild build mode is simpler to set up, but will only work for projects with generic build steps that can be guessed by the heuristics of the autobuild scripts. If autobuild fails, then you must switch to manual or none. If autobuild succeeds, then the results and run time will be the same as manual mode.
  • none build mode is also simpler to set up and is slightly faster to run, but there is a possibility that some alerts will be missed. This may happen if your repository does any code generation during compilation or if there are any dependencies downloaded from registries that the workflow does not have access to. none is not yet supported by C/C++, Swift, Go, or Kotlin.

Supported versions of the CodeQL Action

The following versions of the CodeQL Action are currently supported:

  • v3 (latest)
  • v2 (deprecated, support will end on December 5th, 2024)

The only difference between CodeQL Action v2 and v3 is the version of Node.js on which they run. CodeQL Action v3 runs on Node 20, while CodeQL Action v2 runs on Node 16.

To provide the best experience to customers using older versions of GitHub Enterprise Server, we will continue to release CodeQL Action v2 so that these customers can continue to run the latest version of CodeQL as long as their version of GitHub Enterprise Server is supported. For example CodeQL Action v3.22.11 was the first release of CodeQL Action v3 and is functionally identical to v2.22.11. This approach provides an easy way to track exactly which features are included in different versions by looking at the minor and patch version numbers.

For more information, see "Code scanning: deprecation of CodeQL Action v2."

Supported versions of the CodeQL Bundle on GitHub Enterprise Server

We typically release new minor versions of the CodeQL Action and Bundle when a new minor version of GitHub Enterprise Server (GHES) is released. When a version of GHES is deprecated, the CodeQL Action and Bundle releases that shipped with it are deprecated as well.

Minimum CodeQL Action Minimum CodeQL Bundle Version GitHub Environment Notes
v3.26.6 2.18.4 Enterprise Server 3.15
v3.25.11 2.17.6 Enterprise Server 3.14
v3.24.11 2.16.6 Enterprise Server 3.13
v3.22.12 2.15.5 Enterprise Server 3.12
v2.22.1 2.14.6 Enterprise Server 3.11 Supports CodeQL Action v3, but did not ship with CodeQL Action v3. For more information, see "Code scanning: deprecation of CodeQL Action v2."

CodeQL Action v2 will stop receiving updates when GHES 3.11 is deprecated.

See the full list of GHES release and deprecation dates at GitHub Enterprise Server releases.

Troubleshooting

Read about troubleshooting code scanning.

Contributing

This project welcomes contributions. See CONTRIBUTING.md for details on how to build, install, and contribute.