codeql-analysis.yml

---
name: CodeQL Analysis

on:
  push:
    branches: [master]
    paths-ignore:
      - '**.md'

  pull_request:
    branches: [master]
    paths-ignore:
      - '**.md'

  workflow_dispatch:

  schedule:
    - cron: '0 6 * * Sun'

env:
  DOTNET_CLI_TELEMETRY_OPTOUT: true

jobs:
  codeql-analyze:
    name: CodeQL Analyze
    runs-on: ubuntu-latest

    permissions:
      security-events: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v6

      - name: Setup .NET
        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: 10.x

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v4.35.2
        with:
          languages: csharp
          queries: +security-and-quality
          config: |
            query-filters:
              - exclude:
                  id:
                    - cs/dereferenced-value-may-be-null
                    - cs/catch-of-all-exceptions
                    - cs/empty-catch-block
                    - cs/web/insecure-direct-object-reference
                    - cs/web/missing-function-level-access-control

      - name: Autobuild
        uses: github/codeql-action/autobuild@v4.35.2

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v4.35.2
        with:
          output: sarif-results
          upload: failure-only

      - name: Filter SARIF
        uses: advanced-security/filter-sarif@v1
        with:
          patterns: |
            -**/*
            +src/**/*
            -**/generated/**/*.g.cs
            -**/generated/**/*.generated.cs
          input: sarif-results/csharp.sarif
          output: sarif-results/csharp.sarif

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v4.35.2
        with:
          sarif_file: sarif-results/csharp.sarif