Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/advanced-security/set-codeql-language-matrix
Automatically set the CodeQL matrix job using the languages in your repository.
https://github.com/advanced-security/set-codeql-language-matrix
codeql
Last synced: about 1 month ago
JSON representation
Automatically set the CodeQL matrix job using the languages in your repository.
- Host: GitHub
- URL: https://github.com/advanced-security/set-codeql-language-matrix
- Owner: advanced-security
- License: mit
- Created: 2022-11-14T16:50:04.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2023-11-01T17:25:17.000Z (about 1 year ago)
- Last Synced: 2024-05-13T01:20:49.469Z (7 months ago)
- Topics: codeql
- Language: Python
- Homepage:
- Size: 30.3 KB
- Stars: 8
- Watchers: 2
- Forks: 4
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Codeowners: CODEOWNERS
- Security: SECURITY.md
- Support: SUPPORT.md
Awesome Lists containing this project
- awesome-codeql - set-codeql-language-matrix - Automatically set the CodeQL matrix job using the languages in your repository. (CodeQL Actions Helpers)
README
# Set CodeQL Language Matrix
This action reads the languages API for your repository and sets the CodeQL supported languages as the job matrix for your Actions run.
## Background
The default Actions workflow for CodeQL auto-populates the job matrix with your repo's supported CodeQL languages. However, as new code is added to a repository, that language matrix is not updated. You need to manually add those languages to the matrix definition to have CodeQL scan them.
This action reads the repository languages API and adds all supported languages to the job matrix. No additional configuration is required.
Learn more about the supported CodeQL languages [here](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed)
## How to use this action
Call this action before defining the CodeQL analyze job strategy, then set the matrix to the output from the action: `${{ fromJSON(needs.create-matrix.outputs.matrix) }}`
**Example**
``` yaml
name: "CodeQL Auto Language"on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
- cron: '17 19 * * 6'jobs:
create-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.languages }}
steps:
- name: Get languages from repo
id: set-matrix
uses: advanced-security/set-codeql-language-matrix@v1
with:
access-token: ${{ secrets.GITHUB_TOKEN }}
endpoint: ${{ github.event.repository.languages_url }}
analyze:
needs: create-matrix
if: ${{ needs.create-matrix.outputs.matrix != '[]' }}
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: writestrategy:
fail-fast: false
matrix:
language: ${{ fromJSON(needs.create-matrix.outputs.matrix) }}steps:
- name: Checkout repository
uses: actions/checkout@v3# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
- name: Autobuild
uses: github/codeql-action/autobuild@v3- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
```### Excluding CodeQL Languages
It's possible you may choose to exclude specific languages from your CodeQL scans. In that case, use the `exclude` input.Example:
``` yaml
create-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.languages }}
steps:
- name: Get languages from repo
id: set-matrix
uses: advanced-security/set-codeql-language-matrix@v1
with:
access-token: ${{ secrets.GITHUB_TOKEN }}
endpoint: ${{ github.event.repository.languages_url }}
exclude: 'java, python'```
### Swift support
If you want to include Swift in your CodeQL analysis, you need to ensure that the action runs on a macOS runner. This is because Swift analysis with CodeQL requires a macOS environment. You can achieve this by making the `runs-on` field in your workflow conditional based on the language being analyzed.Example:
``` yaml
analyze:
needs: create-matrix
if: ${{ needs.create-matrix.outputs.matrix != '[]' }}
name: Analyze
runs-on: ${{ matrix.language == 'swift' && 'macos-latest' || 'ubuntu-latest' }}
permissions:
actions: read
contents: read
security-events: write
```If you want to run all languages **other than Swift** on a specific group of runners, you can adjust the `runs-on` line in your workflow as shown in the following example:
``` yaml
runs-on: ${{ matrix.language == 'swift' && 'macos-latest' || fromJSON('{"group":"runner-group-name"}') }}
```## License
This project is licensed under the terms of the MIT open source license. Please refer to [MIT](./LICENSE.md) for the full terms.
## Maintainers
Take a look at [CODEOWNERS](./CODEOWNERS.md) to identify the maintainers.
## Support
Got a question or issue? Open an issue in this repo and tag any of the folks in [CODEOWNERS](./CODEOWNERS.md).