chore: Update CodeQL scan scripts and documentation for CI alignment and deprecate old suites
This commit is contained in:
GitHub Actions
@@ -95,6 +95,7 @@ run_codeql_scan() {
|
||||
local source_root=$2
|
||||
local db_name="codeql-db-${lang}"
|
||||
local sarif_file="codeql-results-${lang}.sarif"
|
||||
local suite=""
|
||||
local build_mode_args=()
|
||||
local codescanning_config="${PROJECT_ROOT}/.github/codeql/codeql-config.yml"
|
||||
|
||||
@@ -107,6 +108,9 @@ run_codeql_scan() {
|
||||
|
||||
if [[ "${lang}" == "javascript" ]]; then
|
||||
build_mode_args=(--build-mode=none)
|
||||
suite="codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls"
|
||||
else
|
||||
suite="codeql/go-queries:codeql-suites/go-security-and-quality.qls"
|
||||
fi
|
||||
|
||||
log_step "CODEQL" "Scanning ${lang} code in ${source_root}/"
|
||||
@@ -135,8 +139,9 @@ run_codeql_scan() {
|
||||
fi
|
||||
|
||||
# Run analysis
|
||||
log_info "Analyzing with Code Scanning config (CI-aligned query filters)..."
|
||||
log_info "Analyzing with CI-aligned suite: ${suite}"
|
||||
if ! codeql database analyze "${db_name}" \
|
||||
"${suite}" \
|
||||
--format=sarif-latest \
|
||||
--output="${sarif_file}" \
|
||||
--sarif-add-baseline-file-info \
|
||||
|
||||
7
.github/skills/security-scan-codeql.SKILL.md
vendored
7
.github/skills/security-scan-codeql.SKILL.md
vendored
@@ -136,8 +136,8 @@ This skill uses the **security-and-quality** suite to match CI:
|
||||
|
||||
| Language | Suite | Queries | Coverage |
|
||||
|----------|-------|---------|----------|
|
||||
| Go | go-security-and-quality.qls | 61 | Security + quality issues |
|
||||
| JavaScript | javascript-security-and-quality.qls | 204 | Security + quality issues |
|
||||
| Go | go-security-and-quality.qls | version-dependent | Security + quality issues |
|
||||
| JavaScript | javascript-security-and-quality.qls | version-dependent | Security + quality issues |
|
||||
|
||||
**Note:** This matches GitHub Actions CodeQL default configuration exactly.
|
||||
|
||||
@@ -260,8 +260,7 @@ This skill is specifically designed to match GitHub Actions CodeQL workflow:
|
||||
| Parameter | Local | CI | Aligned |
|
||||
|-----------|-------|-----|---------|
|
||||
| Query Suite | security-and-quality | security-and-quality | ✅ |
|
||||
| Go Queries | 61 | 61 | ✅ |
|
||||
| JS Queries | 204 | 204 | ✅ |
|
||||
| Query Expansion | version-dependent | version-dependent | ✅ (when versions match) |
|
||||
| Threading | auto | auto | ✅ |
|
||||
| Baseline Info | enabled | enabled | ✅ |
|
||||
|
||||
|
||||
Reference in New Issue
Block a user