feat: set security-extended as default for code-ql (#71)

* feat: set security-extended as default for code-ql
entur · Jan 16, 2025 · 8003834 · 8003834
1 parent 2c4e3fa
commit 8003834
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 3 deletions.
diff --git a/.github/workflows/code-scan.yml b/.github/workflows/code-scan.yml
@@ -8,6 +8,11 @@ on:
         default: false
         required: false
         type: boolean
+      codeql_queries:
+        description: 'Comma-separated list of queries for CodeQL to run. By default is set to security-extended.'
+        default: "security-extended"
+        required: false
+        type: string
     secrets:
       external_repository_token:
         description: 'Token to access the external repository mentioned in the codescan.yml file. Must have read access to the repository.'
@@ -16,8 +21,27 @@ env:
   GITHUB_REPOSITORY: ${{ github.repository }}
 
 jobs:
+  input_validation:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: "Validate input CodeQL queries"
+        env:
+          CODEQL_QUERIES: ${{ inputs.codeql_queries }}
+        run: |
+          python -c "import re
+          import os
+          codeql_queries = os.environ['CODEQL_QUERIES']
+          regex_matches = re.findall(r'[^,\s?]+', codeql_queries)
+          
+          if (len(regex_matches) <= 0):
+              print('Invalid input. codeql_queries is set to invalid list. Use a comma-separated list: default, security-extended')
+              os.system('''echo '## Code Scan - Invalid input\n codeql_queries is set to invalid list.\n Use a comma-separated list as example: default, security-extended' >> $GITHUB_STEP_SUMMARY''')
+              exit(1)
+          
+          os.system('echo Validation passed')"
   upload-scan-reports-from-matching-pr:
     runs-on:  ubuntu-24.04
+    needs: input_validation
     outputs:
       skip_job_and_continue_scan: ${{ env.GHA_SECURITY_CODE_SCAN_SKIP_JOB_AND_CONTINUE_SCAN }}
     permissions:
@@ -354,12 +378,14 @@ jobs:
         with:
           languages: ${{ matrix.language }}
           build-mode: autobuild
+          queries: ${{ inputs.codeql_queries }}
 
       - name: "Initialize CodeQL"
         if: matrix.language != 'java' && matrix.language != 'kotlin'
         uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
+          queries: ${{ inputs.codeql_queries }}
 
       - name: "Perform CodeQL Analysis"
         id: codeql-analysis

diff --git a/README-code-scan.md b/README-code-scan.md
@@ -18,9 +18,10 @@ or add the Entur Shared Workflow _CodeQL Scan_. Go to the _Actions_ tab in your
 
 <!-- AUTO-DOC-INPUT:START - Do not remove or modify this section -->
 
-|                                      INPUT                                       |  TYPE   | REQUIRED | DEFAULT |                                                                            DESCRIPTION                                                                             |
-|----------------------------------------------------------------------------------|---------|----------|---------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| <a name="input_use_setup_gradle"></a>[use_setup_gradle](#input_use_setup_gradle) | boolean |  false   | `false` | Use "gradle/action/setup-gradle" before running autobuild <br>(Java/Kotlin only). Potentially speeds up build <br>times if cache from main <br>branch is utilized  |
+|                                      INPUT                                       |  TYPE   | REQUIRED |        DEFAULT        |                                                                            DESCRIPTION                                                                             |
+|----------------------------------------------------------------------------------|---------|----------|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|    <a name="input_codeql_queries"></a>[codeql_queries](#input_codeql_queries)    | string  |  false   | `"security-extended"` |                                Comma-separated list of queries for <br>CodeQL to run. By default <br>is set to security-extended.                                  |
+| <a name="input_use_setup_gradle"></a>[use_setup_gradle](#input_use_setup_gradle) | boolean |  false   |        `false`        | Use "gradle/action/setup-gradle" before running autobuild <br>(Java/Kotlin only). Potentially speeds up build <br>times if cache from main <br>branch is utilized  |
 
 <!-- AUTO-DOC-INPUT:END -->