🔍 BlackRoad CodeQL Security Analysis #16
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 🔍 BlackRoad CodeQL Security Analysis | |
| on: | |
| push: | |
| branches: [ main, master, develop ] | |
| pull_request: | |
| branches: [ main, master, develop ] | |
| schedule: | |
| # Run at 4 AM UTC every Monday (10 PM CST Sunday) | |
| - cron: '0 4 * * 1' | |
| workflow_dispatch: | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| jobs: | |
| analyze: | |
| name: CodeQL Analysis | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| # Override auto-detection and specify languages manually | |
| # Supported: 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' | |
| language: [ 'javascript', 'python' ] | |
| steps: | |
| - name: 📥 Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: 🔍 Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| # Auto-build for compiled languages | |
| # For interpreted languages (JS, Python, Ruby), this is not needed | |
| queries: +security-and-quality | |
| - name: 🏗️ Autobuild | |
| uses: github/codeql-action/autobuild@v3 | |
| # Only needed for compiled languages like Java, C++, C#, Go, Swift | |
| # For JavaScript and Python, CodeQL analyzes without building | |
| - name: 🔒 Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:${{matrix.language}}" | |
| - name: 📊 Upload Results | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: codeql-results-${{ matrix.language }} | |
| path: | | |
| **/results/*.sarif | |
| **/results/*.csv | |
| retention-days: 30 | |
| - name: 📝 Create Issue on Failure | |
| if: failure() | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const issue = await github.rest.issues.create({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| title: '🔒 CodeQL Security Analysis Failed', | |
| body: `## CodeQL Analysis Failed | |
| **Language:** ${{ matrix.language }} | |
| **Workflow:** ${context.workflow} | |
| **Run:** ${context.runId} | |
| **URL:** https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId} | |
| Please review the security findings and address any critical vulnerabilities. | |
| --- | |
| © 2025-2026 BlackRoad OS, Inc. | |
| `, | |
| labels: ['security', 'codeql', 'automated'] | |
| }); | |
| console.log('Created issue:', issue.data.number); |