Implement feature X to enhance user experience and fix bug Y in module Z #131
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # CodeQL Security Scan — SAST for C# and TypeScript | |
| # Scans source code for vulnerabilities: SQL injection, XSS, path traversal, | |
| # insecure crypto, unsafe deserialization, hardcoded credentials, and more. | |
| # Results appear in: Security tab → Code scanning alerts | |
| # Cost: FREE on public GitHub repositories | |
| name: CodeQL Security Scan | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - develop | |
| - 'release' | |
| - 'bugfix/**' | |
| - 'feature/**' | |
| - 'hotfix/**' | |
| pull_request: | |
| branches: | |
| - main | |
| - develop | |
| - 'release' | |
| - 'bugfix/**' | |
| - 'feature/**' | |
| - 'hotfix/**' | |
| schedule: | |
| # Run full scan weekly on Sunday at 2 AM IST (8:30 PM UTC Saturday) | |
| - cron: '30 20 * * 6' | |
| jobs: | |
| analyze-csharp: | |
| name: Scan C# (.NET Backend) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write # Required to upload CodeQL results | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up .NET | |
| uses: actions/setup-dotnet@v4 | |
| with: | |
| dotnet-version: '10.0.x' | |
| - name: Initialize CodeQL for C# | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: csharp | |
| config-file: .github/codeql/codeql-config.yml | |
| # Use extended security queries for broader coverage | |
| queries: security-extended | |
| - name: Restore dependencies | |
| run: dotnet restore services/api/ServiceHub.sln | |
| - name: Build for CodeQL analysis | |
| # CodeQL needs to observe the build to understand the code | |
| run: | | |
| dotnet build services/api/ServiceHub.sln \ | |
| --configuration Release \ | |
| --no-restore | |
| - name: Perform CodeQL analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:csharp" | |
| analyze-typescript: | |
| name: Scan TypeScript (React Frontend) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20.x' | |
| cache: 'npm' | |
| cache-dependency-path: apps/web/package-lock.json | |
| - name: Initialize CodeQL for TypeScript | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: javascript-typescript | |
| config-file: .github/codeql/codeql-config.yml | |
| queries: security-extended | |
| - name: Install dependencies | |
| working-directory: apps/web | |
| run: npm ci --include=optional | |
| - name: Build for CodeQL analysis | |
| working-directory: apps/web | |
| # TypeScript build helps CodeQL resolve types accurately | |
| run: npx tsc -b --noEmit || true | |
| - name: Perform CodeQL analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:javascript-typescript" |