From 50482fc43b65acff1ffe9051586d6083e33446f2 Mon Sep 17 00:00:00 2001 From: Pavan Kumar Date: Fri, 10 Jan 2025 00:11:42 +0000 Subject: [PATCH 1/2] add actions in codeql workflows to scan github workflow actions --- .github/workflows/codeql-analysis.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 3f4d7221fc61e..58b26c0f24ec7 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -72,8 +72,8 @@ jobs: fail-fast: false matrix: # Override automatic language detection by changing the below list - # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python'] - language: ['python', 'javascript'] + # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python', 'actions] + language: ['python', 'javascript', 'actions'] permissions: actions: read contents: read @@ -85,6 +85,7 @@ jobs: with: persist-credentials: false if: | + matrix.language == 'actions' || matrix.language == 'python' && needs.selective-checks.outputs.needs-python-scans == 'true' || matrix.language == 'javascript' && needs.selective-checks.outputs.needs-javascript-scans == 'true' @@ -98,6 +99,7 @@ jobs: # Prefix the list here with "+" to use these queries and those in the config file. # queries: ./path/to/local/query, your-org/your-repo/queries@main if: | + matrix.language == 'actions' || matrix.language == 'python' && needs.selective-checks.outputs.needs-python-scans == 'true' || matrix.language == 'javascript' && needs.selective-checks.outputs.needs-javascript-scans == 'true' @@ -106,11 +108,13 @@ jobs: - name: Autobuild uses: github/codeql-action/autobuild@v3 if: | + matrix.language == 'actions' || matrix.language == 'python' && needs.selective-checks.outputs.needs-python-scans == 'true' || matrix.language == 'javascript' && needs.selective-checks.outputs.needs-javascript-scans == 'true' - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 if: | + matrix.language == 'actions' || matrix.language == 'python' && needs.selective-checks.outputs.needs-python-scans == 'true' || matrix.language == 'javascript' && needs.selective-checks.outputs.needs-javascript-scans == 'true' From d313e32aa306360e2c1d40389a42332903073273 Mon Sep 17 00:00:00 2001 From: Pavan Kumar Date: Fri, 10 Jan 2025 00:13:14 +0000 Subject: [PATCH 2/2] add actions in codeql workflows to scan github workflow actions --- .github/workflows/codeql-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 58b26c0f24ec7..be0d690799550 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -72,7 +72,7 @@ jobs: fail-fast: false matrix: # Override automatic language detection by changing the below list - # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python', 'actions] + # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python'] language: ['python', 'javascript', 'actions'] permissions: actions: read