Skip to content

PoC - Run CodeQL and add comment to PR with the findings without sending to Security Tab #9

PoC - Run CodeQL and add comment to PR with the findings without sending to Security Tab

PoC - Run CodeQL and add comment to PR with the findings without sending to Security Tab #9

Workflow file for this run

name: "CodeQL Advanced"
on:
pull_request:
branches: [ "main" ]
paths:
- 'node-sample/**'
jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
permissions:
# required for all workflows
security-events: write
# required to fetch internal or private CodeQL packs
packages: read
strategy:
fail-fast: false
matrix:
include:
- language: javascript
build-mode: none
steps:
- name: Checkout repository
uses: actions/checkout@v4
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: javascript
queries: security-extended
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
upload: "never"
output: ./codeql/${{matrix.language}}
- name: List files to verify the file exists
run: cd codeql/; ls -lah
- name: Set up Node.js
uses: actions/setup-node@v3
with:
node-version: 'latest'
- name: Run sarif-to-comment
run: |
npx @security-alert/sarif-to-comment \
--commentUrl "$URL" \
--sarifContentOwner "$OWNER" \
--sarifContentRepo "$REPOSITORY" \
--sarifContentBranch "$BRANCH" \
"$File"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPOSITORY: "codeql_troubleshoot_container"
OWNER: "Perdiga"
URL: "https://github.com/Perdiga/codeql_troubleshoot_container/pull/1"
BRANCH: "main"
File: "./codeql/${{matrix.language}}/javascript.sarif"