• Stars
    star
    1,152
  • Rank 40,501 (Top 0.8 %)
  • Language
    TypeScript
  • License
    MIT License
  • Created over 4 years ago
  • Updated 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Actions for running CodeQL analysis

CodeQL Action

This action runs GitHub's industry-leading semantic code analysis engine, CodeQL, against a repository's source code to find security vulnerabilities. It then automatically uploads the results to GitHub so they can be displayed in the repository's security tab. CodeQL runs an extensible set of queries, which have been developed by the community and the GitHub Security Lab to find common vulnerabilities in your code.

For a list of recent changes, see the CodeQL Action's changelog.

License

This project is released under the MIT License.

The underlying CodeQL CLI, used in this action, is licensed under the GitHub CodeQL Terms and Conditions. As such, this action may be used on open source projects hosted on GitHub, and on private repositories that are owned by an organisation with GitHub Advanced Security enabled.

Usage

This is a short walkthrough, but for more information read configuring code scanning.

To get code scanning results from CodeQL analysis on your repo you can use the following workflow as a template:

name: "Code Scanning - Action"

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    #        β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€ minute (0 - 59)
    #        β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€ hour (0 - 23)
    #        β”‚  β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€ day of the month (1 - 31)
    #        β”‚  β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€ month (1 - 12 or JAN-DEC)
    #        β”‚  β”‚ β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€ day of the week (0 - 6 or SUN-SAT)
    #        β”‚  β”‚ β”‚ β”‚ β”‚
    #        β”‚  β”‚ β”‚ β”‚ β”‚
    #        β”‚  β”‚ β”‚ β”‚ β”‚
    #        *  * * * *
    - cron: '30 1 * * 0'

jobs:
  CodeQL-Build:
    # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest
    runs-on: ubuntu-latest

    permissions:
      # required for all workflows
      security-events: write

      # only required for workflows in private repositories
      actions: read
      contents: read

    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v2
        # Override language selection by uncommenting this and choosing your languages
        # with:
        #   languages: go, javascript, csharp, python, cpp, java, ruby

      # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
      # If this step fails, then you should remove it and run the build manually (see below).
      - name: Autobuild
        uses: github/codeql-action/autobuild@v2

      # ℹ️ Command-line programs to run using the OS shell.
      # πŸ“š See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun

      # ✏️ If the Autobuild fails above, remove it and uncomment the following
      #    three lines and modify them (or add more) to build your code if your
      #    project uses a compiled language

      #- run: |
      #     make bootstrap
      #     make release

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v2

If you prefer to integrate this within an existing CI workflow, it should end up looking something like this:

- name: Initialize CodeQL
  uses: github/codeql-action/init@v2
  with:
    languages: go, javascript

# Here is where you build your code
- run: |
    make bootstrap
    make release

- name: Perform CodeQL Analysis
  uses: github/codeql-action/analyze@v2

Configuration file

Use the config-file parameter of the init action to enable the configuration file. The value of config-file is the path to the configuration file you want to use. This example loads the configuration file ./.github/codeql/codeql-config.yml.

- uses: github/codeql-action/init@v2
  with:
    config-file: ./.github/codeql/codeql-config.yml

The configuration file can be located in a different repository. This is useful if you want to share the same configuration across multiple repositories. If the configuration file is in a private repository you can also specify an external-repository-token option. This should be a personal access token that has read access to any repositories containing referenced config files and queries.

- uses: github/codeql-action/init@v2
  with:
    config-file: owner/repo/codeql-config.yml@branch
    external-repository-token: ${{ secrets.EXTERNAL_REPOSITORY_TOKEN }}

For information on how to write a configuration file, see "Using a custom configuration file."

If you only want to customise the queries used, you can specify them in your workflow instead of creating a config file, using the queries property of the init action:

- uses: github/codeql-action/init@v2
  with:
    queries: <local-or-remote-query>,<another-query>

By default, this will override any queries specified in a config file. If you wish to use both sets of queries, prefix the list of queries in the workflow with +:

- uses: github/codeql-action/init@v2
  with:
    queries: +<local-or-remote-query>,<another-query>

Configuration via config input

You can alternatively configure CodeQL using the config input to the init Action. The value of this input must be a YAML string that follows the configuration file format documented at "Using a custom configuration file."

Example configuration

- uses: github/codeql-action/init@v2
  with:
    languages: ${{ matrix.language }}
    config: |
      disable-default-queries: true
      queries:
        - uses: security-extended
        - uses: security-and-quality
      query-filters:
        - include:
      tags: /cwe-020/

Sharing configuration across multiple repositories

You can use Actions or environment variables to share configuration across multiple repositories and to modify configuration without needing to edit the workflow file. In the following example, vars.CODEQL_CONF is an Actions configuration variable:

- uses: github/codeql-action/init@v2
  with:
    languages: ${{ matrix.language }}
    config: ${{ vars.CODEQL_CONF }}

Troubleshooting

Read about troubleshooting code scanning.

Contributing

This project welcomes contributions. See CONTRIBUTING.md for details on how to build, install, and contribute.

More Repositories

1

gitignore

A collection of useful .gitignore templates
160,684
star
2

copilot-docs

Documentation for GitHub Copilot
23,229
star
3

docs

The open-source repo for docs.github.com
JavaScript
14,053
star
4

opensource.guide

πŸ“š Community guides for open source creators
HTML
12,947
star
5

gh-ost

GitHub's Online Schema-migration Tool for MySQL
Go
11,302
star
6

linguist

Language Savant. If your repository's language is being reported incorrectly, send us a pull request!
Ruby
10,684
star
7

semantic

Parsing, analyzing, and comparing source code across many languages
Haskell
8,865
star
8

copilot.vim

Neovim plugin for GitHub Copilot
Vim Script
8,286
star
9

codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
CodeQL
7,579
star
10

roadmap

GitHub public roadmap
7,393
star
11

scientist

πŸ”¬ A Ruby library for carefully refactoring critical paths.
Ruby
7,389
star
12

personal-website

Code that'll help you kickstart a personal website that showcases your work as a software developer.
HTML
7,243
star
13

markup

Determines which markup library to use to render a content file (e.g. README) on GitHub
Ruby
5,678
star
14

dmca

Repository with text of DMCA takedown notices as received. GitHub does not endorse or adopt any assertion contained in the following notices. Users identified in the notices are presumed innocent until proven guilty. Additional information about our DMCA policy can be found at
DIGITAL Command Language
5,457
star
15

swift-style-guide

**Archived** Style guide & coding conventions for Swift projects
4,770
star
16

gemoji

Emoji images and names.
Ruby
4,280
star
17

training-kit

Open source courseware for Git and GitHub
HTML
4,247
star
18

explore

Community-curated topic and collection pages on GitHub
Ruby
3,840
star
19

mona-sans

Mona Sans, a variable font from GitHub
3,680
star
20

hubot-scripts

DEPRECATED, see https://github.com/github/hubot-scripts/issues/1113 for details - optional scripts for hubot, opt in via hubot-scripts.json
CoffeeScript
3,538
star
21

choosealicense.com

A site to provide non-judgmental guidance on choosing a license for your open source project
Ruby
3,379
star
22

git-sizer

Compute various size metrics for a Git repository, flagging those that might cause problems
Go
3,160
star
23

secure_headers

Manages application of security headers with many safe defaults
Ruby
3,104
star
24

gov-takedowns

Text of government takedown notices as received. GitHub does not endorse or adopt any assertion contained in the following notices.
3,088
star
25

archive-program

The GitHub Archive Program & Arctic Code Vault
3,000
star
26

scripts-to-rule-them-all

Set of boilerplate scripts describing the normalized script pattern that GitHub uses in its projects.
Shell
2,859
star
27

hotkey

Trigger an action on an element with a keyboard shortcut.
JavaScript
2,851
star
28

relative-time-element

Web component extensions to the standard <time> element.
JavaScript
2,799
star
29

janky

Continuous integration server built on top of Jenkins and Hubot
Ruby
2,759
star
30

github-elements

GitHub's Web Component collection.
JavaScript
2,523
star
31

renaming

Guidance for changing the default branch name for GitHub repositories
2,408
star
32

view_component

A framework for building reusable, testable & encapsulated view components in Ruby on Rails.
Ruby
2,370
star
33

VisualStudio

GitHub Extension for Visual Studio
C#
2,365
star
34

glb-director

GitHub Load Balancer Director and supporting tooling.
C
2,255
star
35

SoftU2F

Software U2F authenticator for macOS
Swift
2,201
star
36

accessibilityjs

Client side accessibility error scanner.
JavaScript
2,180
star
37

CodeSearchNet

Datasets, tools, and benchmarks for representation learning of code.
Jupyter Notebook
2,155
star
38

balanced-employee-ip-agreement

GitHub's employee intellectual property agreement, open sourced and reusable
2,126
star
39

github-services

Legacy GitHub Services Integration
Ruby
1,902
star
40

platform-samples

A public place for all platform sample projects.
Shell
1,885
star
41

hubot-sans

Hubot Sans, a variable font from GitHub
Shell
1,832
star
42

pages-gem

A simple Ruby Gem to bootstrap dependencies for setting up and maintaining a local Jekyll environment in sync with GitHub Pages
Ruby
1,782
star
43

india

GitHub resources and information for the developer community in India
Ruby
1,769
star
44

haikus-for-codespaces

EJS
1,753
star
45

site-policy

Collaborative development on GitHub's site policies, procedures, and guidelines
1,743
star
46

government.github.com

Gather, curate, and feature stories of public servants and civic hackers using GitHub as part of their open government innovations
HTML
1,727
star
47

advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
1,711
star
48

objective-c-style-guide

**Archived** Style guide & coding conventions for Objective-C projects
1,682
star
49

covid19-dashboard

A site that displays up to date COVID-19 stats, powered by fastpages.
Jupyter Notebook
1,644
star
50

lightcrawler

Crawl a website and run it through Google lighthouse
JavaScript
1,471
star
51

rest-api-description

An OpenAPI description for GitHub's REST API
1,372
star
52

feedback

Public feedback discussions for: GitHub for Mobile, GitHub Discussions, GitHub Codespaces, GitHub Sponsors, GitHub Issues and more!
1,359
star
53

developer.github.com

GitHub Developer site
Ruby
1,314
star
54

backup-utils

GitHub Enterprise Backup Utilities
1,190
star
55

brubeck

A Statsd-compatible metrics aggregator
C
1,185
star
56

dev

Press the . key on any repo
1,184
star
57

catalyst

Catalyst is a set of patterns and techniques for developing components within a complex application.
TypeScript
1,183
star
58

securitylab

Resources related to GitHub Security Lab
C
1,150
star
59

opensourcefriday

🚲 Contribute to the open source community every Friday
HTML
1,143
star
60

graphql-client

A Ruby library for declaring, composing and executing GraphQL queries
Ruby
1,139
star
61

Rebel

Cocoa framework for improving AppKit
Objective-C
1,127
star
62

gh-actions-importer

GitHub Actions Importer helps you plan and automate the migration of Azure DevOps, Bamboo, Bitbucket, CircleCI, GitLab, Jenkins, and Travis CI pipelines to GitHub Actions.
C#
982
star
63

licensed

A Ruby gem to cache and verify the licenses of dependencies
Ruby
942
star
64

.github

Community health files for the @GitHub organization
869
star
65

swordfish

EXPERIMENTAL password management app. Don't use this.
Ruby
740
star
66

details-dialog-element

A modal dialog that's opened with <details>.
JavaScript
739
star
67

stack-graphs

Rust implementation of stack graphs
Rust
725
star
68

codeql-cli-binaries

Binaries for the CodeQL CLI
725
star
69

github-ds

A collection of Ruby libraries for working with SQL on top of ActiveRecord's connection
Ruby
667
star
70

email_reply_parser

Small library to parse plain text email content
Ruby
658
star
71

vulcanizer

GitHub's ops focused Elasticsearch library
Go
657
star
72

github-ospo

Helping open source program offices get started
641
star
73

webauthn-json

πŸ” A small WebAuthn API wrapper that translates to/from pure JSON using base64url.
TypeScript
638
star
74

gh-copilot

Ask for assistance right in your terminal.
637
star
75

rubocop-github

Code style checking for GitHub's Ruby projects
Ruby
616
star
76

safe-settings

JavaScript
606
star
77

codespaces-jupyter

Explore machine learning and data science with Codespaces
Jupyter Notebook
591
star
78

dat-science

Replaced by https://github.com/github/scientist
Ruby
582
star
79

maven-plugins

Official GitHub Maven Plugins
Java
581
star
80

details-menu-element

A menu opened with <details>.
JavaScript
554
star
81

trilogy

Trilogy is a client library for MySQL-compatible database servers, designed for performance, flexibility, and ease of embedding.
C
543
star
82

freno

freno: cooperative, highly available throttler service
Go
534
star
83

smimesign

An S/MIME signing utility for use with Git
Go
519
star
84

brasil

Recursos e informaçáes do GitHub para a comunidade de desenvolvedores no Brasil.
Ruby
515
star
85

gh-valet

Valet helps facilitate the migration of Azure DevOps, CircleCI, GitLab CI, Jenkins, and Travis CI pipelines to GitHub Actions.
C#
511
star
86

include-fragment-element

A client-side includes tag.
JavaScript
508
star
87

covid-19-repo-data

Data archive of identifiable COVID-19 related public projects on GitHub
505
star
88

vscode-github-actions

GitHub Actions extension for VS Code
TypeScript
492
star
89

vscode-codeql-starter

Starter workspace to use with the CodeQL extension for Visual Studio Code.
CodeQL
477
star
90

how-engineering-communicates

A community version of the "common API" for how the GitHub Engineering organization communicates
474
star
91

Archimedes

Geometry functions for Cocoa and Cocoa Touch
Objective-C
466
star
92

codeql-go

The CodeQL extractor and libraries for Go.
465
star
93

open-source-survey

The Open Source Survey
431
star
94

synsanity

netfilter (iptables) target for high performance lockless SYN cookies for SYN flood mitigation
C
424
star
95

entitlements-app

The Ruby Gem that Powers Entitlements - GitHub's Identity and Access Management System
Ruby
409
star
96

MVG

MVG = Minimum Viable Governance
379
star
97

issue-metrics

Gather metrics on issues/prs/discussions such as time to first response, count of issues opened, closed, etc.
Python
378
star
98

roskomnadzor

deprecated archive β€” moved to https://github.com/github/gov-takedowns/tree/master/Russia
376
star
99

clipboard-copy-element

Copy element text content or input values to the clipboard.
JavaScript
374
star
100

codespaces-react

JavaScript
364
star