| config/codeql | ||
| src | ||
| .gitignore | ||
| action.yml | ||
| LICENSE | ||
| README.md | ||
CodeQL Scan Action
Run CodeQL scan for a list of supplied input languages and upload output SARIF file to GitHub. This action is more geared for anyone seeking to run automated CodeQL scans on self-hosted runners.
Limited testing has been carried out using a self-hosted runner installed on an Ubuntu Jammy amd-64 OS. For the action to work correctly, the following packages need to be installed on the runner OS:
-
NodeJS v18 (following the GitHub-hosted installation default)
-
sudo apt install jq
Note on CodeQL usage with Private Repositories
To use the action for scanning private repositories, a GitHub Advanced Security License is required otherwise you will see the following message appear in the workflow logs:
{"message":"Advanced Security must be enabled for this repository to use code scanning..."
Supported Languages
Non-compilable
python,javascript,typescript,ruby
Compiled
java
Note:
- Given the nature of the build process for compiled languages, attempting to cover the anticipated range of build command/mode combinations can be extremely time consuming, as such, the action might need further tweaking
- Feel free to log any issues you come across
Inputs
Most inputs mirror the parameters passed to the CodeQL CLI commands. The descriptions listed below were sourced from CodeQL CLI manual
| Parameter | Description | Required ? | Default |
|---|---|---|---|
| git_ref | Name of the ref to perform the analysis against. If this ref is a pull request merge commit, then use refs/pulls/1234/merge or refs/pulls/1234/head (depending on whether or not this commit corresponds to the HEAD or MERGE commit of the PR) | false | ${{ github.ref }} |
| commit_sha | SHA value of the commit being analyzed | false | ${{ github.sha }} |
| language_to_scan | The source language(s) identifier to carry out the scan against: Example, - to scan for a single language (such as python): "python".- to scan multiple languages (such as python and javascript): "python,javascript"Use codeql resolve languages to get a list of the pluggable language extractors found on the search path. |
true | |
| token | Value can be access from secrets context ${{ secrets.GITHUB_TOKEN }} |
true | |
| codeql_scan_type | Query suite to suite to execute | false | code-scanning |
| build_mode | Build mode to use for creating the CodeQL DB. Used for compiled languages | false | '' |
| build_command | Used for compiled languages. Build command or script that invokes the build process for the codebase | false | '' |
| codeql_config_file | Path to CodeQL code scanning configuration file | false | '' |
Output
| Parameter | Description |
|---|---|
| cql_sarif_output_log | Log returned from sarif upload to GitHub |
Usage
Example 1: Run the action for java language analysis.
...
...
jobs:
run-codeql-scan:
runs-on: [self-hosted]
steps:
- name: Checkout repo
uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '21'
## if you need to generate a specific Maven settings.xml config file
## refer to: https://docs.github.com/en/actions/publishing-packages/publishing-java-packages-with-maven
...
...
- name: Run the scan against the codebase
id: run-scan
uses: tonys-code-base/run-codeql-analysis-action@master
with:
language_to_scan: java
token: ${{ secrets.GITHUB_TOKEN }}
Example 2: Run the action for java and python analysis.
Extend the last step in the previous example as follows:
...
...
- name: Run the scan against the codebase
id: run-scan
uses: tonys-code-base/run-codeql-analysis-action@master
with:
## comma separated list of languages to scan
language_to_scan: "java,python"