bindy/.github/workflows/codeql.yml at main · firestoned/bindy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
# Copyright (c) 2025 Erick Bourgeois, firestoned
# SPDX-License-Identifier: MIT

name: CodeQL Security Analysis

on:
  # Reusable workflow - can be called by other workflows
  workflow_call:
    inputs:
      languages:
        description: 'Languages to analyze (comma-separated)'
        required: false
        type: string
        default: 'rust'
      config-file:
        description: 'Path to CodeQL config file'
        required: false
        type: string
        default: ''
    outputs:
      sarif-file:
        description: 'Path to generated SARIF file'
        value: ${{ jobs.analyze.outputs.sarif-file }}

  # Scheduled scan - weekly on Monday at 9 AM UTC
  schedule:
    - cron: '0 9 * * 1'

  # Run on push to main branch
  push:
    branches: [ main ]

  # Run on pull requests
  pull_request:
    branches: [ main ]

  # Allow manual trigger
  workflow_dispatch:
    inputs:
      languages:
        description: 'Languages to analyze (comma-separated)'
        required: false
        type: string
        default: 'rust'

permissions:
  contents: read
  security-events: write
  actions: read

env:
  CARGO_TERM_COLOR: always
  RUST_BACKTRACE: 1

jobs:
  changes:
    name: Detect Changed Files
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request'
    outputs:
      code: ${{ steps.filter.outputs.code }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v6

      - name: Check for changes
        uses: dorny/paths-filter@v4
        id: filter
        with:
          filters: |
            code:
              - 'src/**'
              - 'Cargo.toml'
              - 'Cargo.lock'

  analyze:
    name: Analyze Rust Code
    runs-on: ubuntu-latest
    timeout-minutes: 30
    needs: [changes]
    if: |
      always() &&
      (github.event_name != 'pull_request' || needs.changes.outputs.code == 'true')
    outputs:
      sarif-file: ${{ steps.upload.outputs.sarif-file }}

    strategy:
      fail-fast: false
      matrix:
        language: [ 'rust' ]

    steps:
      - name: Checkout code
        uses: actions/checkout@v6
        with:
          fetch-depth: 0  # Full history for better analysis

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@stable
        with:
          toolchain: stable

      - name: Cache cargo registry
        uses: actions/cache@v5
        with:
          path: ~/.cargo/registry
          key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-cargo-registry-

      - name: Cache cargo index
        uses: actions/cache@v5
        with:
          path: ~/.cargo/git
          key: ${{ runner.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-cargo-index-

      - name: Cache cargo build
        uses: actions/cache@v5
        with:
          path: target
          key: ${{ runner.os }}-cargo-build-codeql-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-cargo-build-codeql-
            ${{ runner.os }}-cargo-build-

      # Initialize CodeQL for Rust analysis
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v4
        with:
          languages: ${{ matrix.language }}
          config-file: ${{ inputs.config-file || '.github/codeql/codeql-config.yml' }}
          # Use default Rust query suite
          # Available suites: security-extended, security-and-quality
          queries: security-and-quality

      # Build the Rust project
      # CodeQL analyzes the build process to understand the code
      - name: Build Rust project
        run: cargo build --all-features --all-targets

      # Perform CodeQL analysis
      - name: Perform CodeQL Analysis
        id: analyze
        uses: github/codeql-action/analyze@v4
        with:
          category: "/language:${{ matrix.language }}"
          upload: true

      # Upload SARIF file as artifact for offline review
      - name: Upload SARIF as artifact
        id: upload
        if: always()
        uses: actions/upload-artifact@v7
        with:
          name: codeql-sarif-${{ matrix.language }}-${{ github.run_number }}
          path: ${{ steps.analyze.outputs.sarif-output }}/${{ matrix.language }}.sarif
          retention-days: 30

      # Create summary of findings
      - name: Generate summary
        if: always()
        run: |
          echo "## CodeQL Security Analysis Results" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "**Language:** ${{ matrix.language }}" >> $GITHUB_STEP_SUMMARY
          echo "**Date:** $(date -u +"%Y-%m-%d %H:%M UTC")" >> $GITHUB_STEP_SUMMARY
          echo "**Run:** [${{ github.run_number }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "### Results" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          SARIF_FILE="${{ steps.analyze.outputs.sarif-output }}/${{ matrix.language }}.sarif"
          if [ -f "$SARIF_FILE" ]; then
            # Count alerts by severity from SARIF
            CRITICAL=$(jq '[.runs[].results[]? | select(.level=="error")] | length' "$SARIF_FILE" 2>/dev/null || echo "0")
            HIGH=$(jq '[.runs[].results[]? | select(.level=="warning")] | length' "$SARIF_FILE" 2>/dev/null || echo "0")
            MEDIUM=$(jq '[.runs[].results[]? | select(.level=="note")] | length' "$SARIF_FILE" 2>/dev/null || echo "0")
            TOTAL=$((CRITICAL + HIGH + MEDIUM))

            echo "- 🔴 **CRITICAL/HIGH:** $CRITICAL" >> $GITHUB_STEP_SUMMARY
            echo "- 🟡 **MEDIUM:** $HIGH" >> $GITHUB_STEP_SUMMARY
            echo "- 🔵 **LOW/INFO:** $MEDIUM" >> $GITHUB_STEP_SUMMARY
            echo "- **Total:** $TOTAL" >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY

            if [ "$TOTAL" -gt "0" ]; then
              echo "⚠️ **Action Required:** Review findings in the [Security tab](${{ github.server_url }}/${{ github.repository }}/security/code-scanning)" >> $GITHUB_STEP_SUMMARY
            else
              echo "✅ **No security issues detected**" >> $GITHUB_STEP_SUMMARY
            fi
          else
            echo "⚠️ SARIF file not found - check CodeQL analysis logs" >> $GITHUB_STEP_SUMMARY
          fi
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "---" >> $GITHUB_STEP_SUMMARY
          echo "View detailed results: [GitHub Security Tab](${{ github.server_url }}/${{ github.repository }}/security/code-scanning)" >> $GITHUB_STEP_SUMMARY