43 lines
1.5 KiB
Bash
Executable File
43 lines
1.5 KiB
Bash
Executable File
#!/bin/bash
|
|
set -e
|
|
|
|
# Check if gh is installed
|
|
if ! command -v gh &> /dev/null; then
|
|
echo "Error: GitHub CLI (gh) is not installed."
|
|
exit 1
|
|
fi
|
|
|
|
# Check if gh-codeql extension is installed
|
|
if ! gh extension list | grep -q "github/gh-codeql"; then
|
|
echo "Installing GitHub CodeQL extension..."
|
|
gh extension install github/gh-codeql
|
|
fi
|
|
|
|
echo "Creating CodeQL database..."
|
|
# Remove existing db if any
|
|
rm -rf codeql-db
|
|
|
|
# Clean up build artifacts and coverage reports to prevent false positives
|
|
echo "Cleaning up build artifacts..."
|
|
rm -rf frontend/dist backend/coverage
|
|
|
|
# Create the database cluster
|
|
echo "Creating CodeQL database cluster..."
|
|
# We specify --command to ensure Go builds correctly
|
|
# We include javascript to scan the frontend (TypeScript/React)
|
|
# We use --db-cluster to support multiple languages
|
|
gh codeql database create codeql-db --language=go,javascript --db-cluster --source-root . --command "./tools/build.sh" --overwrite
|
|
|
|
echo "Analyzing CodeQL database..."
|
|
# Analyze Go
|
|
echo "Analyzing Go..."
|
|
gh codeql database analyze codeql-db/go codeql/go-queries:codeql-suites/go-security-and-quality.qls --format=sarif-latest --output=codeql-results-go.sarif --download
|
|
|
|
# Analyze JavaScript/TypeScript
|
|
echo "Analyzing JavaScript/TypeScript..."
|
|
gh codeql database analyze codeql-db/javascript codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls --format=sarif-latest --output=codeql-results-js.sarif --download
|
|
|
|
echo "Scan complete."
|
|
echo "Go results: codeql-results-go.sarif"
|
|
echo "JS/TS results: codeql-results-js.sarif"
|