diff options
Diffstat (limited to '.github/workflows/codeql-analysis.yml')
| -rw-r--r-- | .github/workflows/codeql-analysis.yml | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index e7129aae5..2190c9a1d 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
| @@ -34,8 +34,15 @@ on: | |||
| 34 | schedule: | 34 | schedule: |
| 35 | - cron: '0 7 * * 2' | 35 | - cron: '0 7 * * 2' |
| 36 | 36 | ||
| 37 | permissions: # added using https://github.com/step-security/secure-workflows | ||
| 38 | contents: read | ||
| 39 | |||
| 37 | jobs: | 40 | jobs: |
| 38 | analyze: | 41 | analyze: |
| 42 | permissions: | ||
| 43 | actions: read # for github/codeql-action/init to get workflow details | ||
| 44 | contents: read # for actions/checkout to fetch code | ||
| 45 | security-events: write # for github/codeql-action/autobuild to send a status report | ||
| 39 | name: Analyze | 46 | name: Analyze |
| 40 | runs-on: ubuntu-latest | 47 | runs-on: ubuntu-latest |
| 41 | 48 | ||
| @@ -48,12 +55,17 @@ jobs: | |||
| 48 | # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed | 55 | # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed |
| 49 | 56 | ||
| 50 | steps: | 57 | steps: |
| 58 | - name: Harden Runner | ||
| 59 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | ||
| 60 | with: | ||
| 61 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
| 62 | |||
| 51 | - name: Checkout repository | 63 | - name: Checkout repository |
| 52 | uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 64 | uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
| 53 | 65 | ||
| 54 | # Initializes the CodeQL tools for scanning. | 66 | # Initializes the CodeQL tools for scanning. |
| 55 | - name: Initialize CodeQL | 67 | - name: Initialize CodeQL |
| 56 | uses: github/codeql-action/init@cc7986c02bac29104a72998e67239bb5ee2ee110 | 68 | uses: github/codeql-action/init@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 |
| 57 | with: | 69 | with: |
| 58 | languages: ${{ matrix.language }} | 70 | languages: ${{ matrix.language }} |
| 59 | # If you wish to specify custom queries, you can do so here or in a config file. | 71 | # If you wish to specify custom queries, you can do so here or in a config file. |
| @@ -64,7 +76,7 @@ jobs: | |||
| 64 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | 76 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
| 65 | # If this step fails, then you should remove it and run the build manually (see below) | 77 | # If this step fails, then you should remove it and run the build manually (see below) |
| 66 | - name: Autobuild | 78 | - name: Autobuild |
| 67 | uses: github/codeql-action/autobuild@cc7986c02bac29104a72998e67239bb5ee2ee110 | 79 | uses: github/codeql-action/autobuild@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 |
| 68 | 80 | ||
| 69 | # âšī¸ Command-line programs to run using the OS shell. | 81 | # âšī¸ Command-line programs to run using the OS shell. |
| 70 | # đ https://git.io/JvXDl | 82 | # đ https://git.io/JvXDl |
| @@ -78,4 +90,4 @@ jobs: | |||
| 78 | # make release | 90 | # make release |
| 79 | 91 | ||
| 80 | - name: Perform CodeQL Analysis | 92 | - name: Perform CodeQL Analysis |
| 81 | uses: github/codeql-action/analyze@cc7986c02bac29104a72998e67239bb5ee2ee110 | 93 | uses: github/codeql-action/analyze@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 |