-
Notifications
You must be signed in to change notification settings - Fork 0
85 lines (78 loc) · 3.14 KB
/
Copy pathcodeql.yml
File metadata and controls
85 lines (78 loc) · 3.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# =============================================================================
# CodeQL — GitHub's native SAST, Java flavour.
#
# Why this exists on GitHub but not GitLab: CodeQL's query engine is
# embedded in GitHub Actions. Running it outside GitHub is possible
# with the standalone CLI but adds maintenance for marginal gain when
# the repo is already public on GitHub. See docs/ops/github-mirror.md
# for the full rationale.
#
# What this workflow does NOT do: unit tests, integration tests, Docker
# build, deploy. All of that is on GitLab CI (gitlab.com/iris-7/
# iris-service). This file stays scoped to SAST only to avoid
# drifting into a duplicate test pipeline.
# =============================================================================
name: CodeQL
on:
push:
branches: [main]
# Only rerun when Java source or the build config changes. Docs-only
# pushes don't need a security rescan.
paths:
- '**/*.java'
- 'pom.xml'
- '.github/workflows/codeql.yml'
pull_request:
branches: [main]
paths:
- '**/*.java'
- 'pom.xml'
schedule:
# Weekly rescan — catches CVEs in the rule set that weren't there
# when the last push happened. Monday 06:00 UTC = 07:00 CET, runs
# before any real user opens the repo.
- cron: '0 6 * * 1'
# Manual trigger — useful when tuning query suite.
workflow_dispatch: {}
permissions:
# Least-privilege. `security-events: write` is what lets CodeQL
# publish the SARIF to the Security tab.
contents: read
security-events: write
jobs:
analyze:
name: CodeQL Java
runs-on: ubuntu-latest
timeout-minutes: 15
# All `uses:` below pinned by full commit SHA — same supply-chain
# rationale as scorecard.yml (Sonar `githubactions:S7637`,
# OSSF Scorecard recommendation, tj-actions/changed-files March 2025
# incident). Renovate bumps these via the `digest` update-type
# configured in `renovate.json` (auto-merges patch/digest updates
# after CI green).
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up JDK 25
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
# CodeQL supports Java 8–21 out of the box. For Java 25 we
# tell the setup action to install it, CodeQL compiles
# source manually (extraction mode: source-only) rather than
# running the build.
distribution: temurin
java-version: '21'
- name: Initialize CodeQL
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
with:
languages: java
# Extended query suite — includes security-extended rules.
# Security-and-quality also covers code-quality patterns
# already caught by Sonar, so we stay on security-extended
# to avoid double-reporting.
queries: security-extended
build-mode: none
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
with:
category: "/language:java"