Skip to content

Create codeql.yml #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
norwd wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Create codeql.yml #76

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f3e716c
Create codeql.yml
norwd Nov 26, 2024
08c4acf
Add actions to languages
norwd Jan 5, 2025
5c8e3c0
Merge branch 'main' into norwd-patch-1
norwd Aug 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 74 additions & 0 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
---

name: "CodeQL Advanced"
run-name: "CodeQL Advanced"

on:
push:
branches:
- 'main'

pull_request:
branches:
- 'main'

schedule:
- cron: '35 18 * * 0'
- cron: '17 22 * * 5'

jobs:
analyze:
name: "Analyze (${{ matrix.language }})"
runs-on: ubuntu-latest

permissions:
security-events: write
packages: read
actions: read
contents: read

strategy:
fail-fast: false
matrix:
language:
- 'actions'
- 'javascript-typescript'

steps:
- name: "Checkout"
uses: actions/checkout@v4

- name: "Initialize CodeQL"
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}

- name: "Perform CodeQL Analysis"
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ matrix.language }}"

dependency-scan:
name: Dependency Scan
runs-on: ubuntu-latest
steps:
- name: "Checkout repository"
uses: actions/checkout@v4

- name: "Scan for dependencies"
uses: github/dependabot-action@v2
with:
sub-directory: "/"
open-pull-requests-limit: 5
package-ecosystem: "github-actions"
directory: "/"

secret-scan:
Comment on lines +52 to +66

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 10 months ago

To fix the problem, add a permissions block to the dependency-scan job in .github/workflows/codeql.yml. This block should grant only the minimal required permissions. Since the job only checks out code and runs a dependency scan, contents: read is sufficient. The permissions block should be added at the same indentation level as runs-on and steps within the dependency-scan job, ideally immediately after runs-on for clarity.

Suggested changeset 1
.github/workflows/codeql.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -51,6 +51,8 @@
   dependency-scan:
     name: Dependency Scan
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - name: "Checkout repository"
       uses: actions/checkout@v4
EOF
@@ -51,6 +51,8 @@
dependency-scan:
name: Dependency Scan
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: "Checkout repository"
uses: actions/checkout@v4
Copilot is powered by AI and may make mistakes. Always verify output.
name: "Secret Scan"
runs-on: ubuntu-latest
steps:
- name: "Checkout"
uses: actions/checkout@v4

- name: "Scan for secrets"
uses: github/secret-scanning@v2
Comment on lines +67 to +74

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 10 months ago

To fix the problem, we should add a permissions block to the secret-scan job in .github/workflows/codeql.yml. This block should specify the minimal permissions required for the job to function correctly. Since the job only checks out code and runs a secret scanning action, it only needs read access to repository contents. Therefore, we should add permissions: contents: read under the secret-scan job, at the same indentation level as name and runs-on. No other changes are required.

Suggested changeset 1
.github/workflows/codeql.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -66,6 +66,8 @@
   secret-scan:
     name: "Secret Scan"
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - name: "Checkout"
       uses: actions/checkout@v4
EOF
@@ -66,6 +66,8 @@
secret-scan:
name: "Secret Scan"
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: "Checkout"
uses: actions/checkout@v4
Copilot is powered by AI and may make mistakes. Always verify output.
Loading