Skip to content

feat: added codeQL support for security in the CI #70

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Achintya-Chatterjee wants to merge 1 commit into from
+100 −0
Closed

feat: added codeQL support for security in the CI #70

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
100 changes: 100 additions & 0 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL Advanced"
Copy link

@coderabbitai coderabbitai bot Jun 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Workflow Name Clarity
The workflow name "CodeQL Advanced" is clear. Consider aligning it with your existing naming conventions or removing the quotes for consistency.

🤖 Prompt for AI Agents 
In .github/workflows/codeql.yml at line 12, the workflow name is set as "CodeQL
Advanced" with quotes. To maintain consistency with existing naming conventions,
remove the quotes around the workflow name or adjust it to match the style used
in other workflow files.


on:
push:
branches: [ "develop" ]
pull_request:
branches: [ "develop" ]
schedule:
- cron: '16 0 * * 5'

jobs:
analyze:
name: Analyze (${{ matrix.language }})
# Runner size impacts CodeQL analysis time. To learn more, please see:
# - https://gh.io/recommended-hardware-resources-for-running-codeql
# - https://gh.io/supported-runners-and-hardware-resources
# - https://gh.io/using-larger-runners (GitHub.com only)
# Consider using larger runners or machines with greater resources for possible analysis time improvements.
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
permissions:
Comment on lines +30 to +31
Copy link

@coderabbitai coderabbitai bot Jun 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Simplify runs-on Setup
The inline conditional expression works, but you could move the OS configuration into the matrix for better readability and easier expansion:

matrix:
  include:
    - language: swift
      os: macos-latest
      build-mode: none
    - language: python
      os: ubuntu-latest
      build-mode: none
runs-on: ${{ matrix.os }}
🤖 Prompt for AI Agents 
In .github/workflows/codeql.yml around lines 30 to 31, the runs-on field uses an
inline conditional expression to select the OS based on the language, which
reduces readability and flexibility. Refactor by moving the OS configuration
into the matrix definition, adding an os key for each language entry, and then
update runs-on to simply use ${{ matrix.os }}. This change improves clarity and
makes it easier to add more languages or OS options in the future.

# required for all workflows
security-events: write

# required to fetch internal or private CodeQL packs
packages: read

# only required for workflows in private repositories
actions: read
contents: read

strategy:
fail-fast: false
matrix:
include:
- language: actions
build-mode: none
- language: python
build-mode: none
Comment on lines +44 to +49
Copy link

@coderabbitai coderabbitai bot Jun 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Matrix include Indentation & Language Coverage
YAML lint reports the - language: entries are under-indented (expected 10 spaces, found 8), which will break the YAML. Also, double-check that all intended languages are listed. For example:

-        - language: actions
-          build-mode: none
+          - language: actions
+            build-mode: none

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 46-46: wrong indentation: expected 10 but found 8

(indentation)

🤖 Prompt for AI Agents 
In .github/workflows/codeql.yml around lines 44 to 49, the entries under matrix
include are under-indented by 2 spaces, causing YAML lint errors. Adjust the
indentation of the - language: lines and their nested build-mode lines to be 10
spaces from the left margin as expected. Also, review the matrix to ensure all
required languages for the workflow are included.

# CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
# Use `c-cpp` to analyze code written in C, C++ or both
# Use 'java-kotlin' to analyze code written in Java, Kotlin or both
# Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
# To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
# see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
# If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
steps:
- name: Checkout repository
uses: actions/checkout@v4

Comment on lines +58 to +61
Copy link

@coderabbitai coderabbitai bot Jun 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix Steps Indentation
The steps: block and its first step are misaligned. Adjust the indent so the dash is nested under steps: (two spaces in from the block key):

-     steps:
-     - name: Checkout repository
+       steps:
+         - name: Checkout repository

This is critical to ensure the workflow parses correctly.

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 59-59: wrong indentation: expected 6 but found 4

(indentation)

🤖 Prompt for AI Agents 
In .github/workflows/codeql.yml around lines 58 to 61, the indentation of the
steps block and its first step is incorrect. Fix this by indenting the dash of
the first step two spaces under the steps key, ensuring proper YAML nesting and
correct workflow parsing.

# Add any setup steps before running the `github/codeql-action/init` action.
# This includes steps like installing compilers or runtimes (`actions/setup-node`
# or others). This is typically only required for manual builds.
# - name: Setup runtime (example)
# uses: actions/setup-example@v1

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.

Comment on lines +69 to +77
Copy link

@coderabbitai coderabbitai bot Jun 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Initialize CodeQL Configuration
The init step correctly drives languages and build modes via the matrix. To speed up subsequent runs, consider enabling caching:

-    uses: github/codeql-action/init@v3
+    uses: github/codeql-action/init@v3
      with:
        languages: ${{ matrix.language }}
        build-mode: ${{ matrix.build-mode }}
+       cache: true
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
cache: true
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
🤖 Prompt for AI Agents 
In .github/workflows/codeql.yml around lines 69 to 77, the CodeQL init step
lacks caching configuration which can speed up subsequent runs. Add a cache
option under the init step by specifying cache: true to enable caching of CodeQL
databases between workflow runs, improving performance.

# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality

# If the analyze step fails for one of the languages you are analyzing with
# "We were unable to automatically build your code", modify the matrix above
# to set the build mode to "manual" for that language. Then modify this step
# to build your code.
# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
- if: matrix.build-mode == 'manual'
shell: bash
run: |
echo 'If you are using a "manual" build mode for one or more of the' \
'languages you are analyzing, replace this with the commands to build' \
'your code, for example:'
echo ' make bootstrap'
echo ' make release'
exit 1

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
Comment on lines +97 to +100
Copy link

@coderabbitai coderabbitai bot Jun 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Perform CodeQL Analysis
The analyze action is hooked up properly. Optionally, you could specify SARIF or upload settings if you need custom formatting or external integrations; otherwise, this looks good.

🤖 Prompt for AI Agents 
In .github/workflows/codeql.yml around lines 97 to 100, the CodeQL analyze
action is correctly configured but lacks optional parameters for SARIF output or
upload settings. To enhance customization or integration, add parameters to
specify SARIF output file paths or upload options as needed. If no custom
formatting or external integration is required, no changes are necessary.