diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000..04c7ef9 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,115 @@ +# Copyright (C) 2026 Moko Consulting +# +# This file is part of a Moko Consulting project. +# +# SPDX-License-Identifier: GPL-3.0-or-later +# +# FILE INFORMATION +# DEFGROUP: GitHub.Workflow.Template +# INGROUP: MokoStandards.Security +# REPO: https://github.com/mokoconsulting-tech/MokoStandards +# PATH: /templates/workflows/generic/codeql-analysis.yml +# VERSION: 04.00.15 +# BRIEF: CodeQL security scanning workflow (generic — all repo types) +# NOTE: Deployed to .github/workflows/codeql-analysis.yml in governed repos. +# CodeQL does not support PHP directly; JavaScript scans JSON/YAML/shell. +# For PHP-specific security scanning see standards-compliance.yml. + +name: CodeQL Security Scanning + +on: + push: + branches: + - main + - dev/** + - rc/** + - version/** + pull_request: + branches: + - main + - dev/** + - rc/** + schedule: + # Weekly on Monday at 06:00 UTC + - cron: '0 6 * * 1' + workflow_dispatch: + +permissions: + actions: read + contents: read + security-events: write + pull-requests: read + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + timeout-minutes: 360 + + strategy: + fail-fast: false + matrix: + # CodeQL does not support PHP. Use 'javascript' to scan JSON, YAML, + # and shell scripts. Add 'actions' to scan GitHub Actions workflows. + language: ['javascript', 'actions'] + + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + queries: security-extended,security-and-quality + + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{ matrix.language }}" + upload: true + output: sarif-results + wait-for-processing: true + + - name: Upload SARIF results + if: always() + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.5.0 + with: + name: codeql-results-${{ matrix.language }} + path: sarif-results + retention-days: 30 + + - name: Step summary + if: always() + run: | + echo "### 🔍 CodeQL — ${{ matrix.language }}" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + URL="https://github.com/${{ github.repository }}/security/code-scanning" + echo "See the [Security tab]($URL) for findings." >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "| Severity | SLA |" >> $GITHUB_STEP_SUMMARY + echo "|----------|-----|" >> $GITHUB_STEP_SUMMARY + echo "| Critical | 7 days |" >> $GITHUB_STEP_SUMMARY + echo "| High | 14 days |" >> $GITHUB_STEP_SUMMARY + echo "| Medium | 30 days |" >> $GITHUB_STEP_SUMMARY + echo "| Low | 60 days / next release |" >> $GITHUB_STEP_SUMMARY + + summary: + name: Security Scan Summary + runs-on: ubuntu-latest + needs: analyze + if: always() + + steps: + - name: Summary + run: | + echo "### 🛡️ CodeQL Complete" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "**Trigger:** ${{ github.event_name }}" >> $GITHUB_STEP_SUMMARY + echo "**Branch:** ${{ github.ref_name }}" >> $GITHUB_STEP_SUMMARY + SECURITY_URL="https://github.com/${{ github.repository }}/security" + echo "" >> $GITHUB_STEP_SUMMARY + echo "📊 [View all security alerts]($SECURITY_URL)" >> $GITHUB_STEP_SUMMARY