This is an automated email from the ASF dual-hosted git repository.
sbp pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
The following commit(s) were added to refs/heads/main by this push:
new 20c7d77 Add a CodeQL analysis workflow
20c7d77 is described below
commit 20c7d777e7fe91b1bdbafabc39617918a33dbe4a
Author: Sean B. Palmer <[email protected]>
AuthorDate: Tue Dec 9 20:21:06 2025 +0000
Add a CodeQL analysis workflow
---
.github/workflows/codeql.yaml | 70 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 70 insertions(+)
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
new file mode 100644
index 0000000..b977ad1
--- /dev/null
+++ b/.github/workflows/codeql.yaml
@@ -0,0 +1,70 @@
+name: CodeQL
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+
+jobs:
+ analyze:
+ name: Analyze
+ runs-on: ubuntu-latest
+
+ permissions:
+ actions: read
+ contents: read
+ packages: read
+ security-events: write
+
+ strategy:
+ fail-fast: false
+ matrix:
+ include:
+ - language: python
+ suppression_pack: +codeql/python-queries:AlertSuppression.ql
+ - language: actions
+ suppression_pack: ""
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+ with:
+ persist-credentials: false
+
+ - name: Start CodeQL
+ uses:
github/codeql-action/init@267c4672a565967e4531438f2498370de5e8a98d
+ with:
+ languages: ${{ matrix.language }}
+ queries: security-extended
+ packs: ${{ matrix.suppression_pack }}
+ config-file: ./codeql-config.yml
+
+ - name: Perform CodeQL analysis
+ id: analyze
+ uses:
github/codeql-action/analyze@267c4672a565967e4531438f2498370de5e8a98d
+ with:
+ category: "/language:${{ matrix.language }}"
+ output: sarif-results
+
+ - name: Show SARIF suppressed result statistics
+ run: |
+ python - <<'PY'
+ import json, pathlib
+ p = pathlib.Path("sarif-results") / "${{ matrix.language }}.sarif"
+ data = json.loads(p.read_text())
+ results = data["runs"][0].get("results", [])
+ suppressed = [r for r in results if r.get("suppressions")]
+ print(f"SARIF file: {p}")
+ print(f"Total results: {len(results)}")
+ print(f"Suppressed results: {len(suppressed)}")
+ PY
+
+ - name: Dismiss alerts of suppressed results
+ if: github.ref == 'refs/heads/main'
+ uses:
advanced-security/dismiss-alerts@29b55573401eedd7f600e4c3e5d0676a457b9f23
+ with:
+ sarif-id: ${{ steps.analyze.outputs.sarif-id }}
+ sarif-file: sarif-results/${{ matrix.language }}.sarif
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
