ci: apply OSSF Scorecard security best practices (#186) · expressjs/cookie-session@127d899 (original) (raw)
``
1
`+
For most projects, this workflow file will not need changing; you simply need
`
``
2
`+
to commit it to your repository.
`
``
3
`+
`
``
4
`+
You may wish to alter this file to override the set of languages analyzed,
`
``
5
`+
or to provide custom queries or build logic.
`
``
6
`+
`
``
7
`+
******** NOTE ********
`
``
8
`+
We have attempted to detect the languages in your repository. Please check
`
``
9
`` +
the language matrix defined below to confirm you have the correct set of
``
``
10
`+
supported CodeQL languages.
`
``
11
`+
`
``
12
`+
name: "CodeQL"
`
``
13
+
``
14
`+
on:
`
``
15
`+
push:
`
``
16
`+
branches: ["master"]
`
``
17
`+
pull_request:
`
``
18
`+
The branches below must be a subset of the branches above
`
``
19
`+
branches: ["master"]
`
``
20
`+
schedule:
`
``
21
`+
- cron: "0 0 * * 1"
`
``
22
+
``
23
`+
permissions:
`
``
24
`+
contents: read
`
``
25
+
``
26
`+
jobs:
`
``
27
`+
analyze:
`
``
28
`+
name: Analyze
`
``
29
`+
runs-on: ubuntu-latest
`
``
30
`+
permissions:
`
``
31
`+
actions: read
`
``
32
`+
contents: read
`
``
33
`+
security-events: write
`
``
34
+
``
35
`+
strategy:
`
``
36
`+
fail-fast: false
`
``
37
`+
matrix:
`
``
38
`+
language: ["javascript"]
`
``
39
`+
CodeQL supports [ $supported-codeql-languages ]
`
``
40
`+
Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
`
``
41
+
``
42
`+
steps:
`
``
43
`+
- name: Checkout repository
`
``
44
`+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
`
``
45
+
``
46
`+
Initializes the CodeQL tools for scanning.
`
``
47
`+
- name: Initialize CodeQL
`
``
48
`+
uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
`
``
49
`+
with:
`
``
50
`+
languages: ${{ matrix.language }}
`
``
51
`+
If you wish to specify custom queries, you can do so here or in a config file.
`
``
52
`+
By default, queries listed here will override any specified in a config file.
`
``
53
`+
Prefix the list here with "+" to use these queries and those in the config file.
`
``
54
+
``
55
`+
Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
`
``
56
`+
If this step fails, then you should remove it and run the build manually (see below)
`
``
57
`+
- name: Autobuild
`
``
58
`+
uses: github/codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
`
``
59
+
``
60
`+
ℹ️ Command-line programs to run using the OS shell.
`
``
61
`+
📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
`
``
62
+
``
63
`+
If the Autobuild fails above, remove it and uncomment the following three lines.
`
``
64
`+
modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
`
``
65
+
``
66
`+
- run: |
`
``
67
`+
echo "Run, Build Application using script"
`
``
68
`+
./location_of_script_within_repo/buildscript.sh
`
``
69
+
``
70
`+
- name: Perform CodeQL Analysis
`
``
71
`+
uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
`
``
72
`+
with:
`
``
73
`+
category: "/language:${{matrix.language}}"
`