|
1 | 1 | # GitHub Action for CodeQL Analysis |
2 | 2 | # Scans C/C++, C#, Go, Java, JavaScript, Python, Ruby, TypeScript, Swift, and Kotlin. |
3 | | -# This configuration is tailored for C++, JavaScript, and PHP. |
| 3 | +# This configuration is tailored for C++ (compiled to Wasm) and JavaScript. |
4 | 4 |
|
5 | 5 | name: CodeQL Security Analysis |
6 | 6 |
|
|
16 | 16 | jobs: |
17 | 17 | analyze: |
18 | 18 | name: Analyze Codebase |
| 19 | + # Run on the latest version of Ubuntu |
19 | 20 | runs-on: ubuntu-latest |
| 21 | + |
| 22 | + # Permissions are required for CodeQL to report security events |
20 | 23 | permissions: |
21 | 24 | actions: read |
22 | 25 | contents: read |
23 | 26 | security-events: write |
24 | 27 |
|
| 28 | + # A strategy matrix is used to run the job for each specified language. |
25 | 29 | strategy: |
26 | 30 | fail-fast: false |
27 | 31 | matrix: |
28 | | - language: ['cpp', 'javascript', 'php'] |
| 32 | + # Define the languages to scan. PHP was removed as it's not supported by CodeQL. |
| 33 | + language: ['cpp', 'javascript'] |
29 | 34 |
|
30 | 35 | steps: |
31 | | - - name: Checkout repository |
32 | | - uses: actions/checkout@v4 |
33 | | - |
34 | | - # Initializes the CodeQL tools for scanning. |
35 | | - - name: Initialize CodeQL |
36 | | - uses: github/codeql-action/init@v3 |
37 | | - with: |
38 | | - languages: ${{ matrix.language }} |
39 | | - # queries: +security-and-quality |
40 | | - |
41 | | - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). |
42 | | - - name: Build C++ Code |
43 | | - # Run the C++ matrix entry. |
44 | | - if: matrix.language == 'cpp' |
45 | | - run: | |
46 | | - npm install |
47 | | - npm run build:wasm |
48 | | -
|
49 | | - - name: Perform CodeQL Analysis |
50 | | - uses: github/codeql-action/analyze@v3 |
51 | | - with: |
52 | | - category: "/language:${{matrix.language}}" |
| 36 | + # Step 1: Check out the repository's code so the workflow can access it. |
| 37 | + - name: Checkout repository |
| 38 | + uses: actions/checkout@v4 |
| 39 | + |
| 40 | + # Step 2: Initialize the CodeQL tools for the specified language. |
| 41 | + # This step configures the CodeQL tracer to monitor the build process. |
| 42 | + - name: Initialize CodeQL |
| 43 | + uses: github/codeql-action/init@v3 |
| 44 | + with: |
| 45 | + languages: ${{ matrix.language }} |
| 46 | + # You can uncomment the following line to run a more comprehensive suite of queries. |
| 47 | + # queries: +security-and-quality |
| 48 | + |
| 49 | + # Step 3: Build the C++ code. This step only runs for the 'cpp' matrix entry. |
| 50 | + # It uses a dedicated action to install the Emscripten SDK first. |
| 51 | + - name: Build C++ with Emscripten |
| 52 | + if: matrix.language == 'cpp' |
| 53 | + uses: emscripten-core/setup-emscripten@v4 |
| 54 | + with: |
| 55 | + # Specify the version of Emscripten to use. 'latest' is usually fine. |
| 56 | + emscripten-version: 'latest' |
| 57 | + # After setting up Emscripten, run the build commands. |
| 58 | + # The CodeQL tracer, initialized in the previous step, will monitor this process. |
| 59 | + run: | |
| 60 | + npm install |
| 61 | + npm run build:wasm |
| 62 | +
|
| 63 | + # Step 4: Run the CodeQL analysis. |
| 64 | + # This step takes the database created during the build and runs queries against it. |
| 65 | + - name: Perform CodeQL Analysis |
| 66 | + uses: github/codeql-action/analyze@v3 |
| 67 | + with: |
| 68 | + category: "/language:${{matrix.language}}" |
| 69 | + |
0 commit comments