Create codeql.yml

MissionOpen · web-flow · commit eb0486b2b990 · 2025-09-19T17:09:12.000+02:00
new workflow in git_actions branch
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,98 @@
+
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+
+#1) HEADER & TRIGGER
+name: "Codeql on PR / Conditional Scan NEW"
+
+on:
+  pull_request:
+    branches: [ "main" ] #Se voglio triggerare su tutti i rami = branches: [ "*" ]
+
+#2) CONFIGURAZIONE JOBS
+jobs:
+  analyze:
+    name: Analyze Java - Conditional
+    runs-on: ubuntu-latest
+
+#3) PERMESSI - DEFINISCE COSA PUO' FARE IL WORKFLOW NEL REPOSITORY
+    permissions:
+      security-events: write # Per scrivere risultati di sicurezza
+      packages: read # Per scaricare query pack CodeQL
+      actions: read # Per leggere altri workflow
+      contents: read # Per leggere il codice del repo
+
+#4) CHECKOUT
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0  # Necessario per rilevare i file modificati
+
+#5) RILEVAMENTO FILE MODIFICATI
+    - name: Get changed files
+      id: changed-files
+      uses: tj-actions/changed-files@v44 # https://github.com/tj-actions/changed-files
+      with:
+        files: |
+          **/*.java
+          **/*.xml
+          **/*.properties
+
+#6) SETUP JAVA - CONDIZIONALE
+    - name: Setup Java
+      if: steps.changed-files.outputs.any_changed == 'true'
+      uses: actions/setup-java@v4
+      with:
+        distribution: 'temurin'
+        java-version: '21'
+
+#7) INITIALIZE CODEQL - CONDIZIONALE
+    - name: Initialize CodeQL
+      if: steps.changed-files.outputs.any_changed == 'true'
+      uses: github/codeql-action/init@v3
+      with:
+        languages: java-kotlin
+        build-mode: none
+        queries: ./.codeql/custom-queries
+        # https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-codeql-model-packs
+        
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+#8) BUILD MANUALE - CONDIZIONALE
+    # - name: Build WebGoat - Full Project
+    #   if: steps.changed-files.outputs.any_changed == 'true'
+    #   run: |
+    #     echo "Building complete WebGoat project..."
+    #     mvn clean compile -DskipTests -q
+    #     echo "Build completed successfully"
+  
+#9) ANALISI CODEQL - CONDIZIONALE
+    - name: Perform CodeQL Analysis
+      if: steps.changed-files.outputs.any_changed == 'true'
+      uses: github/codeql-action/analyze@v3
+
+#10) SUMMARY
+    - name: Analysis Summary
+      if: steps.changed-files.outputs.any_changed == 'true'
+      run: |
+        echo "WebGoat CodeQL analysis completed"
+        echo "Files analyzed: ${{ steps.changed-files.outputs.all_changed_files }}"
+        echo "Language: java-kotlin"
+        
+    - name: No Changes Summary
+      if: steps.changed-files.outputs.any_changed == 'false'
+      run: |
+        echo "No Java/XML/Properties files changed"
+        echo "⏭CodeQL analysis skipped for performance"
+        
