action-security-code-scanner/packages/codeql-action/action.yaml at c6206066f37fb8d391b366c215e3c21b9babd632 · MetaMask/action-security-code-scanner · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: 'Security Code Scanner - CodeQL'
description: 'Run custom CodeQL analysis'
inputs:
  repo:
    description: 'Repository that requested the scan'
    required: true
  language:
    description: 'Programming language to analyze'
    required: true
  paths_ignored:
    description: 'Comma delimited paths to ignore during scan'
    required: false
  rules_excluded:
    description: 'Comma delimited IDs of rules to exclude'
    required: false
  build_mode:
    description: 'Build mode for the language'
    required: false
  build_command:
    description: 'Build command for the language'
    required: false
    default: null
  version:
    description: 'Language/runtime version to use (e.g., 17, 21 for Java; 3.9, 3.10 for Python; 16, 18 for Node.js)'
    required: false
  distribution:
    description: 'Language/runtime distribution to use (e.g., temurin, zulu, corretto for Java; pyenv for Python)'
    required: false

runs:
  using: 'composite'
  steps:
    - name: Debug CodeQL Action Inputs
      run: |
        echo "=================== CODEQL ACTION INPUT DEBUG ==================="
        echo "Repository: ${{ inputs.repo }}"
        echo "Language: ${{ inputs.language }}"
        echo "Build mode: ${{ inputs.build_mode }}"
        echo "Build command: ${{ inputs.build_command }}"
        echo "Version: ${{ inputs.version }}"
        echo "Distribution: ${{ inputs.distribution }}"
        echo "Paths ignored: ${{ inputs.paths_ignored }}"
        echo "Rules excluded: ${{ inputs.rules_excluded }}"
        echo "=================================================================="
      shell: bash


    - name: Enable Corepack
      run: corepack enable
      shell: bash

    - name: Copy Query Suites to Workspace Root
      run: |
        echo "Copying query suites to workspace root for CodeQL..."
        cp -r ${{ github.action_path }}/query-suites ${{ github.workspace }}/
      shell: bash

    - name: Generate Config
      id: generate-config
      run: |
        # Install dependencies and run script from monorepo directory
        cd ${{ github.workspace }}/${MONOREPO_PATH:-.security-scanner}
        yarn install --immutable
        cd packages/codeql-action
        node scripts/generate-config.js
      shell: bash
      env:
        REPO: ${{inputs.repo}}
        LANGUAGE: ${{ inputs.language }}
        BUILD_MODE: ${{ inputs.build_mode }}
        BUILD_COMMAND: ${{ inputs.build_command }}
        VERSION: ${{ inputs.version }}
        DISTRIBUTION: ${{ inputs.distribution }}
        PATHS_IGNORED: ${{ inputs.paths_ignored}}
        RULES_EXCLUDED: ${{ inputs.rules_excluded}}

    - name: Debug Config Generation Outputs
      run: |
        echo "================= CONFIG GENERATION OUTPUTS ================="
        echo "Languages: ${{ steps.generate-config.outputs.languages }}"
        echo "Build mode: ${{ steps.generate-config.outputs.build_mode }}"
        echo "Build command: ${{ steps.generate-config.outputs.build_command }}"
        echo "Version: ${{ steps.generate-config.outputs.version }}"
        echo "Distribution: ${{ steps.generate-config.outputs.distribution }}"
        echo "=============================================================="
        echo ""
        echo "================= GENERATED CODEQL CONFIG FILE ================="
        cat ${{ github.workspace }}/codeql-config-generated.yml
        echo "=================================================================="
      shell: bash

    - name: Checkout Custom Query Repository
      id: checkout-custom-query
      uses: actions/checkout@v6
      with:
        repository: metamask/CodeQL-Queries
        ref: main
        path: ${{ github.workspace }}/custom-queries

    - name: Initialize CodeQL
      uses: github/codeql-action/init@v4
      with:
        config-file: ${{ github.workspace }}/codeql-config-generated.yml
        languages: ${{ inputs.language }}
        source-root: ${{ inputs.repo }}


    - name: Set up JDK for Java/Kotlin
      if: ${{ (inputs.language == 'java-kotlin' || inputs.language == 'java') && steps.generate-config.outputs.version != '' }}
      uses: actions/setup-java@v4
      with:
        java-version: ${{ steps.generate-config.outputs.version }}
        distribution: ${{ steps.generate-config.outputs.distribution || 'temurin' }}

    - name: Build code
      if: ${{ steps.generate-config.outputs.build_mode == 'manual' && steps.generate-config.outputs.build_command != '' }}
      run: |
        echo "Building code with command: ${{ steps.generate-config.outputs.build_command }}"
        cd ${{ github.workspace }}/${{ inputs.repo }}
        ${{ steps.generate-config.outputs.build_command }}
      shell: bash

    - name: Run CodeQL Analysis
      id: codeql-analysis
      uses: github/codeql-action/analyze@v4
      with:
        upload: false
        checkout_path: ${{ github.workspace }}/${{ inputs.repo }}

    - name: Upload SARIF file
      uses: github/codeql-action/upload-sarif@v4
      with:
        sarif_file: ${{ steps.codeql-analysis.outputs.sarif-output }}
        category: codeql-${{ inputs.language }}