030bf8a68f
Adds SARIF filtering for Go analysis to exclude third-party code from results and updates the workflow to upload filtered SARIF files. This enhances the accuracy of security reports by ignoring irrelevant files.
62 lines
1.7 KiB
YAML
62 lines
1.7 KiB
YAML
name: Code Scanning
|
|
|
|
on:
|
|
push:
|
|
branches: [trunk]
|
|
pull_request:
|
|
branches: [trunk]
|
|
paths-ignore:
|
|
- '**/*.md'
|
|
schedule:
|
|
- cron: "0 0 * * 0"
|
|
|
|
permissions:
|
|
actions: read # for github/codeql-action/init to get workflow details
|
|
contents: read # for actions/checkout to fetch code
|
|
security-events: write # for github/codeql-action/analyze to upload SARIF results
|
|
|
|
jobs:
|
|
CodeQL-Build:
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
language: ['go', 'actions']
|
|
|
|
steps:
|
|
- name: Check out code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup Go
|
|
if: matrix.language == 'go'
|
|
uses: actions/setup-go@v5
|
|
with:
|
|
go-version-file: "go.mod"
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@v3
|
|
with:
|
|
languages: ${{ matrix.language }}
|
|
queries: security-and-quality
|
|
|
|
- name: Perform CodeQL Analysis
|
|
uses: github/codeql-action/analyze@v3
|
|
with:
|
|
category: "/language:${{ matrix.language }}"
|
|
upload: false
|
|
output: sarif-results
|
|
|
|
- name: Filter SARIF for third-party code
|
|
if: matrix.language == 'go'
|
|
uses: advanced-security/filter-sarif@bc96d9fb9338c5b48cc440b1b4d0a350b26a20db # v1.0.0
|
|
with:
|
|
patterns: |
|
|
-third-party/**
|
|
input: sarif-results/${{ matrix.language }}.sarif
|
|
output: sarif-results/${{ matrix.language }}.sarif
|
|
|
|
- name: Upload filtered SARIF
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: sarif-results/${{ matrix.language }}.sarif
|
|
category: "/language:${{ matrix.language }}"
|