You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@olingo.apache.org by mi...@apache.org on 2022/02/26 07:42:10 UTC

[olingo-odata4] 01/02: Set up CodeQL scans

This is an automated email from the ASF dual-hosted git repository.

mibo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/olingo-odata4.git

commit f6a305c464c504c41d31e160ee242ee6f81722ea
Author: D067452 <so...@sap.com>
AuthorDate: Mon Aug 2 17:10:28 2021 +0200

    Set up CodeQL scans
    
    GitHub offers code scanning that is based on CodeQL (the same engine that is used in [LGTM.com](https://lgtm.com/)). Shortly, that's a static analysis tool that is able to catch various issues including security ones. Once enabled for pull requests, it would help with catching issues earlier.
    
    The scan may be run via [GitHub Actions](https://docs.github.com/en/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/setting-up-code-scanning-for-a-repository#enabling-code-scanning-using-actions) for pull requests. Or, LGTM checks may be enabled, the instructions are [here](https://lgtm.com/help/lgtm/managing-automated-code-review).
    
    This pull request adds a GitHub workflow that runs CodeQL scans for pull requests and the main branch. There results will be available:
    
    - in the "Security" tab for project maintainers
    - in each pull request (only new alerts or fixed ones)
---
 .github/workflows/codeql-analysis.yml | 49 +++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
new file mode 100644
index 0000000..3407fe9
--- /dev/null
+++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,49 @@
+name: "CodeQL"
+
+on:
+  schedule:
+    - cron: '00 20 * * 3'
+  push:
+    branches: [master]
+    paths-ignore:
+      - 'LICENSE'
+      - 'NOTICE'
+      - 'README'
+      - SECURITY.md'
+  pull_request:
+    branches: [master]
+    paths-ignore:
+      - 'LICENSE'
+      - 'NOTICE'
+      - 'README'
+      - SECURITY.md'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'java' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1
\ No newline at end of file