-
-
Notifications
You must be signed in to change notification settings - Fork 2
131 lines (112 loc) · 3.86 KB
/
codeql.yml
File metadata and controls
131 lines (112 loc) · 3.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: CodeQL Analysis
# Complementa o security-scan.yml (Brakeman + Semgrep + TruffleHog).
# CodeQL traz engine diferente: detecta SQL injection, path traversal,
# SSRF e code injection no Ruby que as outras ferramentas podem perder.
# Resultados publicados no GitHub Security tab (SARIF).
on:
push:
branches: [ master ]
paths:
- 'app/**'
- 'lib/**'
- 'config/**'
- 'Gemfile'
- 'Gemfile.lock'
- '.github/workflows/codeql.yml'
- '.github/codeql/**'
pull_request:
branches: [ master ]
paths:
- 'app/**'
- 'lib/**'
- 'config/**'
- 'Gemfile'
- 'Gemfile.lock'
schedule:
# Sábado 3am UTC — nao conflita com nightly-security (weekdays) nem security-scan (push/PR)
- cron: '0 3 * * 6'
permissions:
security-events: write # upload SARIF para o Security tab
packages: read
actions: read
contents: read
jobs:
analyze-ruby:
name: Analyze Ruby
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ruby
build-mode: none
config-file: .github/codeql/codeql-config.yml
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: /language:ruby
output: codeql-results/ruby
# analyze@v3 already uploads SARIF automatically — no upload-sarif step needed
analyze-actions:
name: Analyze GitHub Actions Workflows
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: actions
build-mode: none
# Sem security-extended aqui — actions usa config padrao
# (security-extended nao tem queries extras para Actions)
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: /language:actions
output: codeql-results/actions
# analyze@v3 already uploads SARIF automatically — no upload-sarif step needed
codeql-summary:
name: CodeQL Summary
runs-on: ubuntu-latest
needs: [ analyze-ruby, analyze-actions ]
if: always()
steps:
- name: Job Summary
run: |
cat >> $GITHUB_STEP_SUMMARY << 'EOF'
## CodeQL Analysis
| Language | Result |
|----------|--------|
| Ruby | ${{ needs.analyze-ruby.result }} |
| Actions | ${{ needs.analyze-actions.result }} |
Resultados completos disponiveis no [Security tab](../../security/code-scanning).
**Query suite**: `security-extended` + `security-and-quality`
**Escopo**: `app/`, `lib/`, `config/` (exclui vendor, tests, scripts)
EOF
- name: Comment on PR
if: github.event_name == 'pull_request'
uses: actions/github-script@v6
with:
script: |
const ruby = '${{ needs.analyze-ruby.result }}';
const actions = '${{ needs.analyze-actions.result }}';
const status = (r) => r === 'success' ? 'OK' : r === 'failure' ? 'FAIL' : r;
const body = [
'## CodeQL Analysis',
'',
'| Language | Status |',
'|----------|--------|',
`| Ruby (security-extended) | ${status(ruby)} |`,
`| GitHub Actions workflows | ${status(actions)} |`,
'',
'Ver alertas completos no [Security tab](../../security/code-scanning).',
].join('\n');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body,
});