Skip to content

Comments

Add CodeQL analysis workflow configuration#243

Closed
notdodo wants to merge 1 commit intomainfrom
notdodo-patch-1
Closed

Add CodeQL analysis workflow configuration#243
notdodo wants to merge 1 commit intomainfrom
notdodo-patch-1

Conversation

@notdodo
Copy link
Owner

@notdodo notdodo commented Oct 27, 2025

No description provided.

@notdodo
Add CodeQL analysis workflow configuration
785a48b 
Signed-off-by: Edoardo Rosa <6991986+notdodo@users.noreply.github.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 27, 2025
View reviewed changes
.github/workflows/codeql.yml
Comment on lines +61 to +70
- name: Checkout repository
uses: actions/checkout@v4

# Add any setup steps before running the `github/codeql-action/init` action.
# This includes steps like installing compilers or runtimes (`actions/setup-node`
# or others). This is typically only required for manual builds.
# - name: Setup runtime (example)
# uses: actions/setup-example@v1

# Initializes the CodeQL tools for scanning.

Check warning

Code scanning / zizmor

credential persistence through GitHub Actions artifacts Warning

credential persistence through GitHub Actions artifacts
.github/workflows/codeql.yml
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
steps:
- name: Checkout repository
uses: actions/checkout@v4

Check failure

Code scanning / zizmor

unpinned action reference Error

unpinned action reference
.github/workflows/codeql.yml

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v4

Check failure

Code scanning / zizmor

unpinned action reference Error

unpinned action reference
.github/workflows/codeql.yml
exit 1

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4

Check failure

Code scanning / zizmor

unpinned action reference Error

unpinned action reference
@github-actions
Copy link

github-actions bot commented Oct 27, 2025

kics-logo

KICS version: v2.1.14

Category Results
CRITICAL CRITICAL 0
HIGH HIGH 0
MEDIUM MEDIUM 0
LOW LOW 2
INFO INFO 0
TRACE TRACE 0
TOTAL TOTAL 2
Metric Values
Files scanned placeholder 1
Files parsed placeholder 1
Files failed to scan placeholder 0
Total executed queries placeholder 4
Queries failed to execute placeholder 0
Execution time placeholder 0

Queries Results

Query Name Query Id Severity Platform Cwe Cloud Provider Category Experimental Description File Name Line Issue Type Search Key Expected Value Actual Value
Unpinned Actions Full Length Commit SHA 555ab8f9-2001-455e-a077-f2d0f41e2fb9 LOW CICD 829 COMMON Supply-Chain false Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. .github/workflows/codeql.yml 101 IncorrectValue uses={{github/codeql-action/analyze@v4}} Action pinned to a full length commit SHA. Action is not pinned to a full length commit SHA.
Unpinned Actions Full Length Commit SHA 555ab8f9-2001-455e-a077-f2d0f41e2fb9 LOW CICD 829 COMMON Supply-Chain false Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. .github/workflows/codeql.yml 72 IncorrectValue uses={{github/codeql-action/init@v4}} Action pinned to a full length commit SHA. Action is not pinned to a full length commit SHA.

@github-advanced-security
Copy link

github-advanced-security bot commented Oct 27, 2025

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 27, 2025
View reviewed changes
.github/workflows/codeql.yml

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v4

Check notice

Code scanning / KICS

Unpinned Actions Full Length Commit SHA Note

Action is not pinned to a full length commit SHA.
.github/workflows/codeql.yml
exit 1

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4

Check notice

Code scanning / KICS

Unpinned Actions Full Length Commit SHA Note

Action is not pinned to a full length commit SHA.
@notdodo notdodo closed this Oct 27, 2025
@notdodo notdodo deleted the notdodo-patch-1 branch October 27, 2025 05:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@notdodo