-
Notifications
You must be signed in to change notification settings - Fork 196
170 lines (151 loc) · 5.83 KB
/
codeql.yml
File metadata and controls
170 lines (151 loc) · 5.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
name: "CodeQL"
on:
push:
branches: [ "main*" ]
paths:
- '**'
- '!**.txt'
- '!**.md'
- '!.github/**'
- '.github/workflows/codeql.yml'
- '.github/codeql/**'
pull_request:
branches: [ "main*" ]
paths:
- '**'
- '!**.txt'
- '!**.md'
- '!.github/**'
- '.github/workflows/codeql.yml'
- '.github/codeql/**'
schedule:
- cron: '35 2 * * 0'
# Declare default permissions as read only.
permissions: read-all
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ${{ vars.RUNNER_CODE_QL || 'ubuntu-22.04' }} # The runner type (if overridden by the var) must be an Ubuntu flavor for the C++ build to work.
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
permissions:
security-events: write # For uploading SARIF results to code scanning API
actions: read # For telemetry/status reporting
contents: read
pull-requests: read
strategy:
fail-fast: false
matrix:
include:
- language: c-cpp
build-mode: manual
sarif-name: cpp
# CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift'
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
submodules: recursive
token: ${{ secrets.ALL_REPO_CONTENTS_READ_PAT || github.token }}
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
config-file: ./.github/codeql/codeql-config.yml
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# If the analyze step fails for one of the languages you are analyzing with
# "We were unable to automatically build your code", modify the matrix above
# to set the build mode to "manual" for that language. Then modify this step
# to build your code.
# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
- name: Build
if: matrix.build-mode == 'manual' && matrix.language == 'c-cpp'
shell: bash
run: |
if ! command -v lsb_release &> /dev/null || ! (lsb_release -is 2>/dev/null | grep -Eiq 'Ubuntu'); then
echo "ERROR: This workflow requires an Ubuntu runner"
exit 1
fi
echo "Runner OS is: $(lsb_release -is) $(lsb_release -rs)"
set -xeuo pipefail
sudo -E apt-get update
sudo -E apt-get install -y --no-install-recommends \
libcurl4-openssl-dev \
libboost-dev \
libboost-system-dev \
libboost-thread-dev \
wget \
build-essential \
cmake \
python-is-python3 \
fakeroot \
debhelper \
rpm \
libssl-dev
QuoteGeneration/download_prebuilt.sh
wget -r -l1 -np -nd --accept 'sgx_linux_x64_sdk_*.bin' https://download.01.org/intel-sgx/latest/linux-latest/distro/ubuntu22.04-server/
chmod +x ./sgx_linux_x64_sdk_*.bin
./sgx_linux_x64_sdk_*.bin <<< "yes"
set +u # prevent 'unbound variable' if sgxsdk/environment uses unset variables
set +x
echo "Sourcing SGX SDK environment and building..."
source ./sgxsdk/environment; make all
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: "/language:${{matrix.language}}"
output: sarif-results
upload: ${{ vars.DO_NOT_UPLOAD_SARIF_TO_GITHUB == '1' && 'never' || 'failure-only' }}
- name: Filter SARIF
uses: advanced-security/filter-sarif@v1
with:
patterns: |
-external/**/*
-QuoteVerification/QuoteVerificationService/**/*
-QuoteVerification/QVL/**/*
-QuoteVerification/sgxssl/**/*
input: sarif-results/${{ matrix.sarif-name }}.sarif
output: sarif-results/${{ matrix.sarif-name }}.sarif
- name: Upload artifacts
uses: actions/upload-artifact@v5
if: ${{ vars.PUBLISH_STANDALONE_SARIF_RESULTS == '1' }}
with:
name: codeQL_sarif_results_${{ matrix.language }}
path: sarif-results/**
retention-days: 1
- name: Upload SARIF to GitHub Code Scanning
if: ${{ vars.DO_NOT_UPLOAD_SARIF_TO_GITHUB != '1' }}
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: sarif-results/${{ matrix.sarif-name }}.sarif
aggregate_results:
name: Publish results as standalone artifact
runs-on: ${{ vars.RUNNER_CODE_QL || 'ubuntu-22.04' }}
needs: analyze
if: always() && vars.PUBLISH_STANDALONE_SARIF_RESULTS == '1'
steps:
- name: Collect all results
uses: actions/download-artifact@v4
with:
path: combined-artifacts
merge-multiple: true
- name: Generate a local HTML report
if: runner.os == 'Linux'
shell: bash
run: |
set -xeuo pipefail
sudo -E apt-get update && sudo -E apt-get install -y --no-install-recommends python3-pip
pip3 install sarif-tools
~/.local/bin/sarif html combined-artifacts/*.sarif --output combined-artifacts/codeQL_report.html
- name: Upload combined results for offline viewing
uses: actions/upload-artifact@v5
with:
name: codeQL-results
path: combined-artifacts