mirror of
https://github.com/anchore/syft.git
synced 2026-05-20 04:05:24 +02:00
47cda2b5ef
Bumps the actions-minor-patch group with 4 updates in the / directory: [github/codeql-action](https://github.com/github/codeql-action), [marocchino/sticky-pull-request-comment](https://github.com/marocchino/sticky-pull-request-comment), [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action) and [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action). Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [actions/cache](https://github.com/actions/cache). Updates `github/codeql-action` from 4.35.1 to 4.35.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](c10b8064de...95e58e9a2c) Updates `marocchino/sticky-pull-request-comment` from 3.0.3 to 3.0.4 - [Release notes](https://github.com/marocchino/sticky-pull-request-comment/releases) - [Commits](d4d6b09364...0ea0beb66e) Updates `slackapi/slack-github-action` from 3.0.1 to 3.0.2 - [Release notes](https://github.com/slackapi/slack-github-action/releases) - [Changelog](https://github.com/slackapi/slack-github-action/blob/main/CHANGELOG.md) - [Commits](af78098f53...03ea5433c1) Updates `zizmorcore/zizmor-action` from 0.5.2 to 0.5.3 - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](71321a20a9...b1d7e1fb5d) Updates `actions/cache` from 5.0.4 to 5.0.5 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](668228422a...27d5ce7f10) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: marocchino/sticky-pull-request-comment dependency-version: 3.0.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: slackapi/slack-github-action dependency-version: 3.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: zizmorcore/zizmor-action dependency-version: 0.5.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: actions/cache dependency-version: 5.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
82 lines
2.8 KiB
YAML
82 lines
2.8 KiB
YAML
# CodeQL scans for security vulnerabilities and coding errors across all
|
|
# languages in this repo. Results appear in the "Security" tab under
|
|
# "Code scanning alerts" and are enforced by branch protection rules.
|
|
name: "CodeQL"
|
|
|
|
on:
|
|
push:
|
|
branches: [ "main" ]
|
|
pull_request:
|
|
branches: [ "main" ]
|
|
# Weekly scheduled scan catches newly disclosed vulnerabilities in
|
|
# existing code, not just changes introduced by PRs.
|
|
schedule:
|
|
- cron: '38 11 * * 3'
|
|
|
|
jobs:
|
|
analyze:
|
|
name: Analyze (${{ matrix.language }})
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
# Required to upload SARIF results to the "Security" tab.
|
|
security-events: write
|
|
# Required to fetch internal or private CodeQL packs.
|
|
packages: read
|
|
# Only required for workflows in private repositories.
|
|
actions: read
|
|
contents: read
|
|
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
# GitHub Actions workflow linting — no build needed.
|
|
- language: actions
|
|
build-mode: none
|
|
|
|
# Go uses "manual" build mode so we control exactly what gets
|
|
# compiled. The default "autobuild" finds the Makefile and runs
|
|
# the full CI pipeline (lint, test, snapshot release, etc.),
|
|
# which is far more work than CodeQL needs. All it requires is
|
|
# compiled Go source so it can build a type-resolved code graph
|
|
# for analysis.
|
|
- language: go
|
|
build-mode: manual
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
|
|
with:
|
|
persist-credentials: false
|
|
|
|
# Pin the Go toolchain to whatever go.mod declares so CodeQL
|
|
# analyzes with the same version the project actually uses.
|
|
# Only runs for the Go matrix entry.
|
|
- name: Setup Go
|
|
if: matrix.language == 'go'
|
|
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
|
|
with:
|
|
go-version-file: go.mod
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
|
|
with:
|
|
languages: ${{ matrix.language }}
|
|
build-mode: ${{ matrix.build-mode }}
|
|
|
|
# Minimal build for Go: compile all packages so CodeQL gets a full
|
|
# type-resolved code graph for analysis.
|
|
- name: Build (Go)
|
|
if: matrix.build-mode == 'manual'
|
|
shell: bash
|
|
run: go build ./...
|
|
|
|
- name: Perform CodeQL Analysis
|
|
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
|
|
with:
|
|
# The category tag lets GitHub associate SARIF results with the
|
|
# correct language when branch protection checks for required
|
|
# code scanning results.
|
|
category: "/language:${{matrix.language}}"
|