Skip to content

CodeQL

CodeQL #345

Workflow file for this run

name: "CodeQL"
on:
workflow_dispatch: # Allow manually triggered workflow run
schedule:
# At 05:30 on every day-of-week from Monday through Friday.
- cron: "30 5 * * 1-5"
jobs:
analyze-java:
name: Analyze Java (Kotlin)
runs-on:
labels: ubuntu-latest-8-cores
timeout-minutes: 360
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: java
queries: security-and-quality
- name: Setup Java
uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 21
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v3
- name: Assemble
run: ./gradlew assemble -Dorg.gradle.jvmargs="-Dkotlin.daemon.jvmargs=-Xmx16g" --configuration-cache
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
upload: false # disable the upload here - we will upload in a different action
output: sarif-results
- name: filter-sarif
uses: advanced-security/filter-sarif@v1
with:
patterns: |
-**/*test*.kt
-**/generated-main-avro-java/**
input: sarif-results/java.sarif
output: sarif-results/java.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: sarif-results/java.sarif
category: "/language:java"
analyze-javascript:
name: Analyze Javascript (Typescript)
runs-on:
labels: ubuntu-latest-8-cores
timeout-minutes: 360
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: javascript
queries: security-and-quality
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
upload: false # disable the upload here - we will upload in a different action
output: sarif-results
- name: filter-sarif
uses: advanced-security/filter-sarif@v1
with:
patterns: |
-**/*test*.kt
input: sarif-results/javascript.sarif
output: sarif-results/javascript.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: sarif-results/javascript.sarif
category: "/language:javascript"