-
-
Notifications
You must be signed in to change notification settings - Fork 0
84 lines (75 loc) · 3.31 KB
/
Copy pathcodeql.yml
File metadata and controls
84 lines (75 loc) · 3.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
name: CodeQL
# JavaScript / TypeScript SAST scan via GitHub's native CodeQL.
#
# Why this exists (closes issue #58)
# ──────────────────────────────────
# OpenSSF Scorecard runs already, but it operates at the *infrastructure*
# layer (workflow permissions, action SHA pinning, branch protection,
# release signing, dependency graph). It does NOT analyse the package's
# source code. CodeQL fills that gap : semantic AST analysis that catches
# class-injection bugs, ReDoS regex shapes, prototype pollution, eval-like
# patterns, and the dozens of other code-level smells that ship from the
# `packages/tailwindcss-obfuscator/src/**` tree to every consumer's bundle.
#
# Findings appear in the GitHub Security tab → Code scanning. The same SARIF
# upload mechanism is already wired in scorecard.yml so the action set and
# the upload-sarif call are battle-tested.
#
# Schedule : on every push to main + every PR + weekly cron (catches new
# CodeQL queries as GitHub publishes them, even if no code changed).
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
# Every Monday at 06:30 UTC. Offset 30 min from scorecard.yml (06:00) so
# both don't fight for the same runner pool window.
- cron: "30 6 * * 1"
workflow_dispatch:
concurrency:
group: codeql-${{ github.ref }}
cancel-in-progress: true
# Top-level grants nothing ; each job re-declares its minimum scope.
permissions: {}
jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ubuntu-latest
permissions:
# Required for SARIF upload.
security-events: write
# Required to read action metadata for SHA-pinning attestation.
actions: read
contents: read
strategy:
fail-fast: false
matrix:
# JavaScript covers .js, .jsx, .ts, .tsx — the entire surface of
# this repo's published code (`packages/tailwindcss-obfuscator/src/**`).
# Tests are scanned too because a typo in test code can mask a
# real bug downstream.
language: ["javascript-typescript"]
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
# Initialize the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3.35.2
with:
languages: ${{ matrix.language }}
# The default suite is `security-extended` for stronger coverage
# than the `security-and-quality` default. `security-extended`
# adds rules for ReDoS, prototype pollution, hardcoded secrets,
# and other higher-confidence security smells.
queries: security-extended
# Build step — for JS/TS the autobuild step is a no-op (interpreted
# languages, no compilation needed). We do this explicitly anyway
# because CodeQL expects a build step to be present.
- name: Autobuild
uses: github/codeql-action/autobuild@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3.35.2
# Run the analysis and upload SARIF to the Security tab.
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3.35.2
with:
category: "/language:${{ matrix.language }}"