-
Notifications
You must be signed in to change notification settings - Fork 0
59 lines (52 loc) · 2.15 KB
/
Copy pathcodeql.yml
File metadata and controls
59 lines (52 loc) · 2.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# CodeQL security analysis (SAST) for Rust.
# Full reference: https://docs.github.com/en/code-security/code-scanning
#
# Runs GitHub's CodeQL engine against the workspace to surface security-relevant
# bug patterns (injection, unsafe data flow, crypto misuse, ...). Findings appear
# as Code scanning alerts in the Security tab, with Copilot Autofix suggestions.
name: CodeQL
on:
push:
branches: [main]
pull_request:
branches: [main]
# Re-scan unchanged code weekly so newly published CodeQL queries catch latent
# issues that no PR would otherwise trigger a scan for. Monday 04:30 UTC.
schedule:
- cron: "30 4 * * 1"
# Cancel any in-progress run for the same branch when a new push arrives.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# Least-privilege floor: grant nothing by default; the job opts into what it needs.
permissions: {}
jobs:
analyze:
name: Analyze (rust)
runs-on: ubuntu-latest
timeout-minutes: 30
permissions:
# Upload analysis results as code scanning alerts.
security-events: write
# Read the repo (checkout) and workflow metadata.
contents: read
actions: read
steps:
# Every action is pinned to a full commit SHA (supply-chain hardening); the
# trailing comment records the human-readable version Dependabot keeps fresh.
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
# CodeQL never pushes; don't persist the token in .git/config.
persist-credentials: false
# Rust no-build scanning is GA (2025-10-14): CodeQL extracts source directly,
# so no Rust toolchain setup or cargo build is required. Default query suite
# (high precision, low false-positive) is used when `queries` is omitted.
- name: initialize CodeQL
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
languages: rust
build-mode: none
- name: perform CodeQL analysis
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
category: "/language:rust"