Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions .github/actions/analysis/codeql/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
#
# BSD 3-Clause License
# Copyright (C) 2026 Intel Corporation
# SPDX-License-Identifier: BSD-3-Clause
#
name: 'CodeQL Scan'
description: 'Initialize CodeQL, build dvledtx, and perform CodeQL analysis for C/C++'

runs:
using: composite
steps:
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
languages: c-cpp
build-mode: manual

# `c-cpp` always requires a manual build so CodeQL can trace the
# compiler invocations produced by meson/ninja.
- name: Build dvledtx
uses: ./.github/actions/build-dvledtx

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
category: "/language:c-cpp"
53 changes: 53 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
#
Comment thread
roshan-ku marked this conversation as resolved.
# BSD 3-Clause License
# Copyright (C) 2026 Intel Corporation
# SPDX-License-Identifier: BSD-3-Clause
#
# CodeQL Advanced workflow for dvledtx (C/C++ project built with meson/ninja).
#
# This repository only contains C sources, so the language matrix has been
# reduced to `c-cpp` and the build mode set to `manual`, reusing the existing
# environment-check/build-dvledtx composite actions so CodeQL traces the same
# build the rest of CI performs.
name: CodeQL Scan

on:
schedule:
# Weekly on Monday at 07:19 UTC
- cron: '19 7 * * 1'
workflow_dispatch:

permissions: {}

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
codeql:
name: CodeQL Scan
runs-on: ubuntu-latest
timeout-minutes: 45
permissions:
contents: read
security-events: write # Required to upload SARIF results to GitHub Security tab

steps:
- name: Clean up previous run
env:
WORKSPACE: ${{ github.workspace }}
run: |
find "$WORKSPACE" -mindepth 1 -maxdepth 1 -exec rm -rf {} +

- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ github.sha }}
fetch-depth: 0
persist-credentials: false

- name: Environment check
uses: ./.github/actions/environment-check

- name: CodeQL Scan
uses: ./.github/actions/analysis/codeql
13 changes: 12 additions & 1 deletion .github/workflows/scan_on_demand.yml
Original file line number Diff line number Diff line change
Expand Up @@ -103,36 +103,47 @@ jobs:
cat "$REPORT"

- name: ShellCheck
if: always()
uses: ./.github/actions/analysis/shellcheck

- name: zizmor Scan
if: always()
uses: ./.github/actions/analysis/zizmor

- name: cppcheck
if: always()
uses: ./.github/actions/analysis/cppcheck

- name: Trivy Scan
if: always()
uses: ./.github/actions/analysis/trivy

- name: CodeQL Scan
if: always()
uses: ./.github/actions/analysis/codeql

- name: Coverity Scan
if: always()
uses: ./.github/actions/analysis/coverity
env:
COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }}
COVERITY_EMAIL: ${{ secrets.COVERITY_EMAIL }}

- name: Upload SARIF to Security tab
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
if: always()
if: always() && hashFiles('reports/coverity-results.sarif') != ''
with:
sarif_file: reports/coverity-results.sarif
category: coverity

- name: AFL Fuzz
if: always()
uses: ./.github/actions/analysis/afl-fuzz
with:
max-seconds: '300'

- name: libFuzzer
if: always()
uses: ./.github/actions/analysis/libfuzzer
with:
max-seconds: '300'
Expand Down
Loading