query/.github/workflows/codeql.yml at main · DataScience-GT/query · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
name: "CodeQL Advanced Security Analysis"

on:
  push:
    branches: [ "main", "dev" ]
  pull_request:
    branches: [ "main", "dev" ]
  schedule:
    - cron: '0 2 * * *'

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

permissions:
  contents: read

jobs:
  analyze:
    name: Analyze TypeScript/Next.js
    runs-on: ubuntu-latest
    timeout-minutes: 360

    # Required permissions for CodeQL
    permissions:
      security-events: write
      packages: read
      actions: read
      contents: read

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4
      with:
        fetch-depth: 0

    - name: Initialize CodeQL
      uses: github/codeql-action/init@v4
      with:
        languages: javascript-typescript
        build-mode: none
        # Standard robust query suites catch XSS, SQLi, Logic flaws, etc.
        queries: security-extended,security-and-quality

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v4
      with:
        category: "/language:javascript-typescript"

  dependency-review:
    name: Dependency Security Review
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request'

    permissions:
      contents: read
      # Required for dependency-review-action to comment on PRs
      pull-requests: write

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Dependency Review
      uses: actions/dependency-review-action@v4
      with:
        fail-on-severity: high
        comment-summary-in-pr: always
        vulnerability-check: true

  security-summary:
    name: Security Analysis Summary
    needs: [analyze]
    runs-on: ubuntu-latest
    if: always()

    steps:
    - name: Generate Summary
      run: |
        echo "# Security Analysis Complete 🛡️" >> $GITHUB_STEP_SUMMARY
        echo "The advanced CodeQL analysis and Dependency Review have finished." >> $GITHUB_STEP_SUMMARY
        echo "All findings have been uploaded directly to the GitHub Security tab." >> $GITHUB_STEP_SUMMARY
        echo "View detailed results at: https://github.com/${{ github.repository }}/security/code-scanning" >> $GITHUB_STEP_SUMMARY