Merge pull request #37 from microsoft/u/sgriffin/codeql

U/sgriffin/codeql

Author: stephenegriffin

.github/workflows/codeql.yml

@@ -1,27 +1,35 @@
-name: "CodeQL"
+name: "CodeQL Advanced"
 
 on:
   workflow_dispatch:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
   schedule:
-    - cron: "0 0 * * 1"
-
-permissions:
-  contents: read
+    - cron: '33 1 * * 2'
 
 jobs:
   analyze:
-    name: Analyze
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
     runs-on: windows-latest
     permissions:
+      packages: read
       actions: read
       contents: read
       security-events: write
 
     strategy:
       fail-fast: false
       matrix:
-        language: ["cpp"]
-
+        include:
+        - language: c-cpp
+          build-mode: autobuild
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
@@ -32,17 +40,30 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           submodules: 'recursive'
-        
+
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
         uses: github/codeql-action/init@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
         with:
           languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
 
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
+          # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # queries: security-extended,security-and-quality
+
+      # - name: Autobuild
+      #   uses: github/codeql-action/autobuild@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
 
       - name: Perform CodeQL Analysis
+        id: analyze
         uses: github/codeql-action/analyze@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
         with:
-          category: "/language:${{matrix.language}}"
+          category: "/language:${{matrix.language}}"
+
+      - name: Upload CodeQL Analysis Results
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        with:
+          path: ${{ steps.analyze.outputs.sarif-output }}

.github/workflows/devskim.yml

@@ -31,4 +31,9 @@ jobs:
       - name: Upload DevSkim scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
         with:
-          sarif_file: devskim-results.sarif
+          sarif_file: devskim-results.sarif
+
+      - name: Upload DevSkim scan results as an artifact
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        with:
+          path: devskim-results.sarif

.github/workflows/github-ci.yml

@@ -44,10 +44,17 @@ jobs:
         & $path\MSBuild\Current\Bin\amd64\msbuild.exe /m /p:Configuration="${{matrix.configuration}}" /p:Platform="${{matrix.platform}}" mapistub.sln
 
     - name: Perform CodeQL Analysis
+      id: analyze
       uses: github/codeql-action/analyze@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
       with:
         category: "/language:cpp"
 
+    - name: Upload CodeQL Analysis Results
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+      with:
+        name: codeql-results-${{ matrix.configuration }}-${{ matrix.platform }}
+        path: ${{ steps.analyze.outputs.sarif-output }}
+
   publish-test-results:
     name: "Publish Tests Results"
     needs: build