1- name : " CodeQL"
1+ name : " CodeQL Full Scan with PR Comments (Ultimate Version) "
22
33on :
44 pull_request :
@@ -14,16 +14,40 @@ jobs:
1414 cancel-in-progress : true
1515
1616 steps :
17+ # 1️⃣ Checkout the repository
1718 - name : Checkout repository
1819 uses : actions/checkout@v4
1920
21+ # 2️⃣ Initialize CodeQL
2022 - name : Initialize CodeQL
2123 uses : github/codeql-action/init@v3
2224 with :
23- languages : python
25+ languages : [" python","javascript"] # Add more languages if needed
2426
27+ # 3️⃣ Auto-build the project for CodeQL
2528 - name : Autobuild
2629 uses : github/codeql-action/autobuild@v3
2730
31+ # 4️⃣ Perform CodeQL analysis and generate SARIF report
2832 - name : Perform CodeQL Analysis
2933 uses : github/codeql-action/analyze@v3
34+ with :
35+ output : results.sarif
36+ upload-sarif : true # Upload to GitHub Security tab
37+
38+ # 5️⃣ Comment Top-N alerts per file + PR summary + file severity overview + overflow notice
39+ - name : Comment CodeQL Alerts with Top-N and File Severity Overview
40+ uses : marocchino/sticky-pull-request-comment@v2
41+ with :
42+ path : results.sarif
43+ header : " ### :shield: CodeQL Security Alerts Summary"
44+ layout : " group-by-file"
45+ format : " markdown-table"
46+ sort-severity : true # Sort alerts: Critical → High → Medium → Low
47+ highlight : " Critical,High" # Highlight most severe alerts
48+ collapse : " Medium,Low" # Collapse medium/low severity alerts
49+ max-items-per-file : 5 # Display top 5 alerts per file
50+ show-summary : true # Show total alert summary table for the PR
51+ show-file-overview : true # Show file-level Critical/High counts
52+ overflow-text : " +{remaining} more alerts in this file" # Folded notice for extra alerts
53+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
0 commit comments