Acasă Explorează Ajutor
Înregistrare Autentificare
Apq
/
coturn
oglindă de https://github.com/coturn/coturn.git
1
0
Bifurcare 0
Fisiere Probleme 0 Wiki
Răsfoiți Sursa

Add CodeQL workflow (#1228)

Hello from [GitHub Security Lab](https://securitylab.github.com/)!

Your repository is critical to the security of the Open Source Software
(OSS) ecosystem and as part of our mission to make OSS safer, we are
contributing a [CodeQL configuration for code
scanning](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#setting-up-code-scanning-manually)
to your repository. By enabling code scanning with CodeQL, you will be
able to continuously analyze your code and surface potential
vulnerabilities [before they can even reach your
codebase](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests#about-code-scanning-results-on-pull-requests).
In fact, you may have seen some alerts already appearing on this pull
request!

We’ve tested the configuration manually before opening this pull request
and adjusted it to the needs of your particular repository, but feel
free to tweak it further! Check [this
page](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#editing-a-code-scanning-workflow) for
detailed documentation.

Questions? Check out the FAQ below!

### FAQ
<details>
<summary>Click here to expand the FAQ section</summary>

#### How often will the code scanning analysis run?
By default, code scanning will trigger a scan with the CodeQL engine on
the following events:
* On every pull request — to flag up potential security problems for you
to investigate before merging a PR.
* On every push to your default branch and other protected branches —
this keeps the analysis results on your repository’s *Security* tab up
to date.
* Once a week at a fixed time — to make sure you benefit from the latest
updated security analysis even when no code was committed or PRs were
opened.

#### What will this cost?
Nothing! The CodeQL engine will run inside GitHub Actions, making use of
your [unlimited free compute minutes for public
repositories](https://docs.github.com/en/actions/learn-github-actions/usage-limits-billing-and-administration#about-billing-for-github-actions).

#### Where can I see the results of the analysis?
The results of the analysis will be available on the *Security* tab of
your repository. You can find more information about the results
[here](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository).

#### What types of problems does CodeQL find?
By default, code scanning runs the [`default` query
suite](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/built-in-codeql-query-suites#default-query-suite).

#### How do I upgrade my CodeQL engine?
No need! New versions of the CodeQL analysis are constantly deployed on
GitHub.com; your repository will automatically benefit from the most
recently released version.

#### The analysis doesn’t seem to be working
If you get an error in GitHub Actions that indicates that CodeQL wasn’t
able to analyze your code, please [follow the instructions
here](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/troubleshooting-the-codeql-workflow)
to debug the analysis.

#### Which source code hosting platforms does code scanning support?
GitHub code scanning is deeply integrated within GitHub itself. If you’d
like to scan source code that is hosted elsewhere, we suggest that you
create a mirror of that code on GitHub.

</details>
Jorge 2 ani în urmă
părinte
d7db17f048
comite
0924770181
1 a modificat fișierele cu 67 adăugiri și 0 ștergeri
Vizualizare divizată Arată Statisticile Diff
  1. 67 0
      .github/workflows/codeql.yml

+ 67 - 0
.github/workflows/codeql.yml
Vizualizați fișierul 

@@ -0,0 +1,67 @@
 
+name: "CodeQL"
 
+
 
+on:
 
+  push:
 
+    branches: [ 'master' ]
 
+  pull_request:
 
+    # The branches below must be a subset of the branches above
 
+    branches: [ 'master' ]
 
+  schedule:
 
+    - cron: '6 13 * * 4'
 
+
 
+jobs:
 
+  analyze:
 
+    name: Analyze
 
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
 
+    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
 
+    permissions:
 
+      actions: read
 
+      contents: read
 
+      security-events: write
 
+
 
+    strategy:
 
+      fail-fast: false
 
+      matrix:
 
+        language: [ 'cpp' ]
 
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
 
+        # Use only 'java' to analyze code written in Java, Kotlin or both
 
+        # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
 
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
+
 
+    steps:
 
+    - name: Checkout repository
 
+      uses: actions/checkout@v3
 
+
 
+    - if: matrix.language == 'cpp'
 
+      name: Build C
 
+      run: |
 
+        sudo apt-get update
 
+        sudo apt-get install -y --no-install-recommends --no-install-suggests autoconf ca-certificates coreutils g++ git libtool make pkg-config
 
+        sudo apt-get install -y --no-install-recommends --no-install-suggests libevent-dev libssl-dev libpq-dev libmariadb-dev libsqlite3-dev libhiredis-dev libmongoc-dev libmicrohttpd-dev
 
+
 
+    # Initializes the CodeQL tools for scanning.
 
+    - name: Initialize CodeQL
 
+      uses: github/codeql-action/init@v2
 
+      with:
 
+        languages: ${{ matrix.language }}
 
+        # If you wish to specify custom queries, you can do so here or in a config file.
 
+        # By default, queries listed here will override any specified in a config file.
 
+        # Prefix the list here with "+" to use these queries and those in the config file.
 
+
 
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
 
+        # queries: security-extended,security-and-quality
 
+
 
+    - if: matrix.language == 'cpp'
 
+      name: Build C
 
+      run: ./configure && make
 
+
 
+    # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
 
+    # If this step fails, then you should remove it and run the build manually (see below)
 
+    - if: matrix.language != 'cpp'
 
+      name: Autobuild
 
+      uses: github/codeql-action/autobuild@v2
 
+
 
+    - name: Perform CodeQL Analysis
 
+      uses: github/codeql-action/analyze@v2
 
+      with:
 
+        category: "/language:${{matrix.language}}"