-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsample-codeql-monorepo-pr-workflow.yml
119 lines (109 loc) · 4.5 KB
/
sample-codeql-monorepo-pr-workflow.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
# ⚠️ This is an example and must be tuned for using in your own repository. ⚠️
#
# This workflow determines which sub projects of a monorepo are affected by a PR, and then runs CodeQL analysis on those projects.
#
# It uses Actions from `advanced-security/monorepo-code-scanning-action`
#
# To use it, it would be placed under `./github/workflows` in the monorepo.
#
# The specific language and paths affected are passed to the CodeQL analysis, along with a custom analysis workflow if one is provided.
#
# For TypeScript/JavaScript, Python, and Ruby, Java and C#, you can let the CodeQL Action handle the "build" step,
# and only target the project that is being changed by the PR, using `build-mode: none`.
#
# For other languages (Kotlin, Swift and C/C++) an autobuild will be attempted.
#
# You can instead opt to use `manual` for CodeQL languages, to specify everything about the build and CodeQL analysis.
#
# Non-CodeQL tools are supported using the `other` build-mode in the language/project definition.
#
# Either `manual` or `other` build-modes require a custom analysis workflow.
#
# If you want to specify custom queries, you can do so in the same custom analysis workflow, and set the `manual` build-mode.
#
# You can find an example of what that looks like in this repository at .github/workflows/code-scanning-custom-analysis.yml
#
# ⚠️ This is an example and must be tuned for using in your own repository. ⚠️
name: "CodeQL monorepo - PR"
on:
pull_request:
branches: ["main"]
types:
- opened # scan new PRs
- reopened # scan PRs that are reopened
- synchronize # scan newly pushed commits to PRs
- closed # republish results from merged PRs
jobs:
changes:
runs-on: ubuntu-latest
permissions:
pull-requests: read
contents: read
outputs:
projects: ${{ steps.changes.outputs.projects }}
scan-required: ${{ steps.changes.outputs.scan-required }}
steps:
- name: Spot changes to projects
id: changes
uses: advanced-security/monorepo-code-scanning-action/changes@main
with:
# If you are using a C# build.xml file, you will need to set any variables in an inline YAML config, as shown, and reference that XML file here with the `build-xml` input
# ⚠️ This is an example and must be tuned for using in your own repository. ⚠️
variables: |
FolderADir: src/FolderA
FolderBDir: src/FolderB
FolderCDir: src/FolderC
build-xml: build-projects.xml
# Alternatively, you can manually set of the project structure with a JSON input file.
# project-json: projects.json
# This takes the form:
# {
# "csharp": {
# "projects": {
# "<projectName": {
# "paths": ["FolderA", "FolderB"]
# }
# }
# }
# }
#
# At the language or project you can also set `build-mode` and `queries` keys to override the defaults.
# In either case you can also set a config or config-file key to specify a global CodeQL config to use for the analysis.
#
# config-file: .github/codeql-config.yml
# config: |
# queries:
# - my-custom-query
# You can also specify extra globs to include in the scan, by language, in YAML format.
# extra-globs: |
# python:
# - *.py
# - requirements-dev.txt
scan:
if: needs.changes.outputs.scan-required == 'true'
runs-on: ubuntu-latest
permissions:
contents: read
actions: read
security-events: write
needs: changes
strategy:
matrix:
project: ${{ fromJson(needs.changes.outputs.projects).projects }}
steps:
- name: Analyze code
uses: advanced-security/monorepo-code-scanning-action/scan@main
# You must use the 'republish' step to republish the results of missing analyses from the target branch to the PR, to pass any required checks.
# It will also copy these results to the target branch on merge, so that the full results are available in the target branch.
republish:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
actions: read
needs: changes
steps:
- name: Republish results
uses: advanced-security/monorepo-code-scanning-action/republish-sarif@main
with:
projects: ${{ needs.changes.outputs.projects }}