From 247951930d509ae6ce4f8d8410c927214444d998 Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Wed, 10 May 2023 01:08:16 -0700 Subject: [PATCH] Update the code scanning configuration docs (#36755) Co-authored-by: Felicity Chapman --- .../customizing-code-scanning.md | 44 ++++++++++++++++++- data/features/code-scanning-config-input.yml | 6 +++ 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 data/features/code-scanning-config-input.yml diff --git a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning.md b/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning.md index 8d627a9794..8f69b34fa2 100644 --- a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning.md +++ b/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning.md @@ -388,7 +388,7 @@ You can also specify query suites in the value of `queries`. Query suites are co ``` yaml{:copy} - uses: {% data reusables.actions.action-codeql-action-init %} with: - # Comma-separated list of queries / packs / suites to run. + # Comma-separated list of queries / packs / suites to run. # This may include paths or a built in suite, for example: # security-extended or security-and-quality. queries: security-extended @@ -571,6 +571,48 @@ You can quickly analyze small portions of a monorepo when you modify code in spe {% data reusables.code-scanning.example-configuration-files %} +{% ifversion code-scanning-config-input %} +## Specifying configuration details using the `config` input + +If you'd prefer to specify additional configuration details in the workflow file, you can use the `config` input of the `init` command of the {% data variables.product.prodname_codeql %} action. The value of this input must be a YAML string that follows the configuration file format documented at "[Using a custom configuration file](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#using-a-custom-configuration-file)" above. + +### Example configuration + +This step in a {% data variables.product.prodname_actions %} workflow file uses a `config` input to disable the default queries, add the `security-extended` query suite, and exclude queries that are tagged with `cwe-020`. + +```yaml +- uses: {% data reusables.actions.action-codeql-action-init %} + with: + languages: {% raw %}${{ matrix.language }}{% endraw %} + config: | + disable-default-queries: true + queries: + - uses: security-extended + query-filters: + - exclude: + tags: /cwe-020/ +``` + +You can use the same approach to specify any valid configuration options in the workflow file. + +{% tip %} + +**Tip:** + +You can share one configuration across multiple repositories using {% data variables.product.prodname_actions %} variables. One benefit of this approach is that you can update the configuration in a single place without editing the workflow file. + +In the following example, `vars.CODEQL_CONF` is a {% data variables.product.prodname_actions %} variable. Its value can be the contents of any valid configuration file. For more information, see "[AUTOTITLE](/actions/learn-github-actions/variables#defining-configuration-variables-for-multiple-workflows)." + +```yaml +- uses: {% data reusables.actions.action-codeql-action-init %} + with: + languages: {% raw %}${{ matrix.language }}{% endraw %} + config: {% raw %}${{ vars.CODEQL_CONF }}{% endraw %} +``` + +{% endtip %} +{% endif %} + ## Configuring {% data variables.product.prodname_code_scanning %} for compiled languages {% data reusables.code-scanning.autobuild-compiled-languages %} {% data reusables.code-scanning.analyze-go %} diff --git a/data/features/code-scanning-config-input.yml b/data/features/code-scanning-config-input.yml new file mode 100644 index 0000000000..4c4f73e624 --- /dev/null +++ b/data/features/code-scanning-config-input.yml @@ -0,0 +1,6 @@ +# Versions that support the `config` input in the `github/codeql-action/init@v2`` action +versions: + fpt: '*' + ghec: '*' + ghes: '>3.9' + ghae: '>3.9'