security-workflows/.github/workflows/codeql.yml at main · braintree/security-workflows · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
name: Code Scanning

on:
  workflow_call:
    inputs:
      language:
        description: 'Language to analyze with CodeQL'
        required: true
        type: string
      build-command:
        description: 'Optional application build command'
        required: false
        type: string
      filter-patterns:
        description: 'Optional comma-separated list of filter patterns'
        required: false
        type: string
      timeout-minutes:
        description: 'Optional override for larger builds'
        required: false
        default: 20
        type: number

permissions:
  security-events: write
  # required to fetch internal or private CodeQL packs
  packages: read
  actions: read
  contents: read

defaults:
  run:
    shell: bash

jobs:
  code-scanning:
    name: Code Scanning
    runs-on: ubuntu-latest
    timeout-minutes: ${{ inputs.timeout-minutes }}
    strategy:
      fail-fast: false

    steps:
      - name: Capture start time
        run: echo "start_time=$(date +%s)" >> $GITHUB_ENV
        shell: bash

      - name: Checkout Repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

      - name: Setup Node
        if: ${{ inputs.language == 'javascript-typescript' || inputs.language == 'javascript' }}
        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
        with:
          node-version: 22

      - name: Initialize CodeQL
        uses: github/codeql-action/init@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858
        with:
          languages: ${{ inputs.language }}
          build-mode: ${{ inputs.build-command != '' && 'manual' || 'none' }}
          config: |
            paths-ignore:
              - fixtures
              - spec
              - sorbet
              - linters
              - '**/test_*.rb'
            query-filters:
              - exclude:
                  id: js/disabling-certificate-validation
              - exclude:
                  id: py/hardcoded-credentials
              - exclude:
                  id: js/missing-rate-limiting
              - exclude:
                  id: py/request-without-cert-validation
              - exclude:
                  id: rb/request-without-cert-validation

      - name: Manual build
        if: ${{ inputs.build-command != '' }}
        run: |
          {{ inputs.build-command }}

      - name: Perform CodeQL Analysis
        id: codeql
        uses: github/codeql-action/analyze@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858
        with:
          category: "/language:${{ inputs.language }}"
          output: sarif-results
          upload: failure-only

      - name: Process & Upload SARIF
        uses: braintree/security-workflows/.github/actions/upload-sarif@main
        with:
          sarif_dir: ${{ env.CODEQL_ACTION_SARIF_RESULTS_OUTPUT_DIR }}
          filter_patterns: ${{ inputs.filter-patterns }}