Skip to content

sec(ci): setup CodeQL workflow #73

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 27, 2025
Merged

sec(ci): setup CodeQL workflow #73

merged 2 commits into from
Aug 27, 2025

Conversation

@josimar-silva
Copy link
Owner

@josimar-silva josimar-silva commented Aug 27, 2025

No description provided.

@josimar-silva josimar-silva self-assigned this Aug 27, 2025
@github-advanced-security
Copy link

github-advanced-security bot commented Aug 27, 2025

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@josimar-silva josimar-silva force-pushed the sec/setup-security-workflows branch from fe9c52b to 26e9858 Compare August 27, 2025 19:19
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 27, 2025
View reviewed changes
.github/workflows/codeql.yaml
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5

- name: ⚙️ Setup CodeQL
uses: github/codeql-action/init@v3

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 8: GitHub-owned GitHubAction not pinned by hash
Remediation tip: update your workflow using https://app.stepsecurity.io
Click Remediation section below for further remediation help
Copy link
Owner Author

@josimar-silva josimar-silva Aug 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renovate will do it.

.github/workflows/codeql.yaml
build-mode: ${{ matrix.build-mode }}

- name: 🔍 Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 8: GitHub-owned GitHubAction not pinned by hash
Remediation tip: update your workflow using https://app.stepsecurity.io
Click Remediation section below for further remediation help
Copy link
Owner Author

@josimar-silva josimar-silva Aug 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renovate will do it.

.github/workflows/security-scorecard.yaml
persist-credentials: false

- name: 🔍 Run analysis
uses: ossf/scorecard-action@v2.4.2

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 8: third-party GitHubAction not pinned by hash
Remediation tip: update your workflow using https://app.stepsecurity.io
Click Remediation section below for further remediation help
Copy link
Owner Author

@josimar-silva josimar-silva Aug 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renovate will do it.

.github/workflows/security-scorecard.yaml
publish_results: true

- name: ⬆️ Upload artifact
uses: actions/upload-artifact@v4

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 8: GitHub-owned GitHubAction not pinned by hash
Remediation tip: update your workflow using https://app.stepsecurity.io
Click Remediation section below for further remediation help
Copy link
Owner Author

@josimar-silva josimar-silva Aug 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renovate will do it.

.github/workflows/security-scorecard.yaml
retention-days: 5

- name: ⬆️ Upload to code-scanning
uses: github/codeql-action/upload-sarif@v3

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 8: GitHub-owned GitHubAction not pinned by hash
Remediation tip: update your workflow using https://app.stepsecurity.io
Click Remediation section below for further remediation help
Copy link
Owner Author

@josimar-silva josimar-silva Aug 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renovate will do it.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Aug 27, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@josimar-silva josimar-silva merged commit 1299486 into main Aug 27, 2025
18 checks passed
@josimar-silva josimar-silva deleted the sec/setup-security-workflows branch August 27, 2025 19:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@josimar-silva josimar-silva

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@josimar-silva