🔍 CodeQL Security Scanning #159
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 🔍 CodeQL Security Scanning | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| # Run at 03:00 UTC daily (offset from other security scans) | |
| - cron: '0 3 * * *' | |
| jobs: | |
| analyze: | |
| name: CodeQL Analysis | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # Required for all workflows | |
| security-events: write | |
| # Required to fetch internal or private CodeQL packs | |
| packages: read | |
| # Required for workflows in private repositories | |
| actions: read | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| # CodeQL supports: 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' | |
| language: [python] | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.9' | |
| - name: Install Poetry | |
| uses: abatilo/actions-poetry@v3 | |
| - name: Install dependencies | |
| run: poetry install --no-interaction --no-root | |
| # Initializes the CodeQL tools for scanning | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| # Use custom config that registers validate_path as a sanitizer | |
| config-file: .github/codeql/codeql-config.yml | |
| # Override default queries with custom configuration | |
| queries: +security-and-quality | |
| # Advanced setup options | |
| setup-python-dependencies: false # We handle this with Poetry | |
| # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java) | |
| # For Python, this step is typically not needed, but we include it for completeness | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@v3 | |
| # Perform CodeQL Analysis | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:${{ matrix.language }}" | |
| # Upload results to GitHub Security tab | |
| upload: true | |
| # Set severity threshold (optional) | |
| # Only fail on high/critical issues | |
| fail-on: error | |
| # Generate SARIF report summary | |
| - name: Upload SARIF as artifact | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: codeql-results-${{ matrix.language }} | |
| path: /home/runner/work/_temp/codeql_databases/python.sarif | |
| retention-days: 7 | |
| security-gate: | |
| name: Security Gate Check | |
| needs: analyze | |
| runs-on: ubuntu-latest | |
| if: always() | |
| steps: | |
| - name: Check CodeQL status | |
| run: | | |
| if [ "${{ needs.analyze.result }}" != "success" ]; then | |
| echo "::error::CodeQL analysis failed or found critical issues" | |
| exit 1 | |
| fi | |
| echo "✅ CodeQL security scan passed" |