diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 04c7ef9..123a1a7 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -5,17 +5,15 @@ # SPDX-License-Identifier: GPL-3.0-or-later # # FILE INFORMATION -# DEFGROUP: GitHub.Workflow.Template +# DEFGROUP: GitHub.Workflow # INGROUP: MokoStandards.Security # REPO: https://github.com/mokoconsulting-tech/MokoStandards -# PATH: /templates/workflows/generic/codeql-analysis.yml -# VERSION: 04.00.15 -# BRIEF: CodeQL security scanning workflow (generic — all repo types) -# NOTE: Deployed to .github/workflows/codeql-analysis.yml in governed repos. -# CodeQL does not support PHP directly; JavaScript scans JSON/YAML/shell. -# For PHP-specific security scanning see standards-compliance.yml. +# PATH: /.github/workflows/codeql-analysis.yml +# VERSION: 04.01.00 +# BRIEF: CodeQL security scanning workflow for PHP codebase +# NOTE: Repository is PHP-only (v04.00.04). Python was removed Feb 12, 2026. -name: CodeQL Security Scanning +name: "CodeQL Security Scanning" on: push: @@ -30,7 +28,7 @@ on: - dev/** - rc/** schedule: - # Weekly on Monday at 06:00 UTC + # Run weekly on Monday at 6:00 AM UTC - cron: '0 6 * * 1' workflow_dispatch: @@ -42,60 +40,65 @@ permissions: jobs: analyze: - name: Analyze (${{ matrix.language }}) + name: Configuration Security Scan runs-on: ubuntu-latest timeout-minutes: 360 - strategy: - fail-fast: false - matrix: - # CodeQL does not support PHP. Use 'javascript' to scan JSON, YAML, - # and shell scripts. Add 'actions' to scan GitHub Actions workflows. - language: ['javascript', 'actions'] + # No language matrix - PHP-only repository + # CodeQL scans workflow files, configs, and scripts for security issues + # PHP security handled by SecurityValidator enterprise library steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4 with: - languages: ${{ matrix.language }} + # No languages specified - scan configurations only + # Reference explicit config to scan YAML, JSON, shell scripts + config-file: ./.github/codeql/codeql-config.yml + # Use security-extended query suite for comprehensive coverage queries: security-extended,security-and-quality - - name: Autobuild - uses: github/codeql-action/autobuild@v3 + # Skip autobuild - no code compilation needed for config scanning - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4 with: - category: "/language:${{ matrix.language }}" + category: "/language:config" upload: true output: sarif-results wait-for-processing: true - - name: Upload SARIF results + - name: Upload SARIF results (optional) if: always() - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.5.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4.5.0 with: - name: codeql-results-${{ matrix.language }} + name: codeql-results-config path: sarif-results retention-days: 30 - - name: Step summary + - name: Check for Critical/High Findings if: always() run: | - echo "### 🔍 CodeQL — ${{ matrix.language }}" >> $GITHUB_STEP_SUMMARY + echo "### 🔍 CodeQL Security Analysis Complete" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "**Scan Type**: Configuration Security" >> $GITHUB_STEP_SUMMARY + echo "**Query Suite**: security-extended, security-and-quality" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "**Note**: MokoStandards is PHP-only (v04.00.04)." >> $GITHUB_STEP_SUMMARY + echo "This scan analyzes workflow files, JSON configs, YAML, and shell scripts." >> $GITHUB_STEP_SUMMARY + echo "For PHP-specific security: Use PHP SecurityValidator enterprise library." >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY URL="https://github.com/${{ github.repository }}/security/code-scanning" - echo "See the [Security tab]($URL) for findings." >> $GITHUB_STEP_SUMMARY + echo "Check the [Security tab]($URL) for detailed findings." >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY - echo "| Severity | SLA |" >> $GITHUB_STEP_SUMMARY - echo "|----------|-----|" >> $GITHUB_STEP_SUMMARY - echo "| Critical | 7 days |" >> $GITHUB_STEP_SUMMARY - echo "| High | 14 days |" >> $GITHUB_STEP_SUMMARY - echo "| Medium | 30 days |" >> $GITHUB_STEP_SUMMARY - echo "| Low | 60 days / next release |" >> $GITHUB_STEP_SUMMARY + echo "**Response Requirements**:" >> $GITHUB_STEP_SUMMARY + echo "- Critical: Fix within 7 days" >> $GITHUB_STEP_SUMMARY + echo "- High: Fix within 14 days" >> $GITHUB_STEP_SUMMARY + echo "- Medium: Fix within 30 days" >> $GITHUB_STEP_SUMMARY + echo "- Low: Fix within 60 days or next release" >> $GITHUB_STEP_SUMMARY summary: name: Security Scan Summary @@ -104,12 +107,17 @@ jobs: if: always() steps: - - name: Summary + - name: Generate Summary run: | - echo "### 🛡️ CodeQL Complete" >> $GITHUB_STEP_SUMMARY + echo "### 🛡️ Security Scanning Complete" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "All CodeQL security scans have completed." >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "**Trigger**: ${{ github.event_name }}" >> $GITHUB_STEP_SUMMARY + echo "**Branch**: ${{ github.ref_name }}" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY - echo "**Trigger:** ${{ github.event_name }}" >> $GITHUB_STEP_SUMMARY - echo "**Branch:** ${{ github.ref_name }}" >> $GITHUB_STEP_SUMMARY SECURITY_URL="https://github.com/${{ github.repository }}/security" - echo "" >> $GITHUB_STEP_SUMMARY echo "📊 [View all security alerts]($SECURITY_URL)" >> $GITHUB_STEP_SUMMARY + POLICY_URL="https://github.com/${{ github.repository }}" + POLICY_URL="${POLICY_URL}/blob/main/docs/policy/security-scanning.md" + echo "📋 [Security scanning policy]($POLICY_URL)" >> $GITHUB_STEP_SUMMARY