hedgedoc/.github/workflows/static-analysis.yml

# SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file)
#
# SPDX-License-Identifier: AGPL-3.0-only

name: Static Analysis

on:
  push:
    branches: [ develop ]
  pull_request:
    branches: [ develop ]
  schedule:
    - cron: '0 7 * * 6'

permissions:
  actions: read
  contents: read
  security-events: write

jobs:
  njsscan:
    runs-on: ubuntu-latest
    name: Njsscan code scanning
    steps:
      - name: Checkout the code
        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
      - name: Scan with njsscan
        id: njsscan
        uses: ajinabraham/njsscan-action@d58d8b2f26322cd35a9efb8003baac517f226d81 # master
        with:
          args: '--sarif --output results.sarif src || true'
      - name: Upload njsscan report
        uses: github/codeql-action/upload-sarif@16964e90ba004cdf0cd845b866b5df21038b7723 # v2.2.6
        with:
          sarif_file: results.sarif

  codeql:
    name: CodeQL analysis
    runs-on: ubuntu-latest

    strategy:
      fail-fast: false
      matrix:
        language: [ 'javascript' ]
        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]

    steps:
      - name: Checkout repository
        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

      - name: Initialize CodeQL
        uses: github/codeql-action/init@16964e90ba004cdf0cd845b866b5df21038b7723 # v2.2.6
        with:
          languages: ${{ matrix.language }}
          queries: +security-and-quality

      - name: Autobuild
        uses: github/codeql-action/autobuild@16964e90ba004cdf0cd845b866b5df21038b7723 # v2.2.6

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@16964e90ba004cdf0cd845b866b5df21038b7723 # v2.2.6
        with:
          category: "/language:${{ matrix.language }}"
misc: add turbo monorepo util Co-authored-by: Tilman Vatteroth <git@tilmanvatteroth.de> Co-authored-by: David Mehren <git@herrmehren.de> Co-authored-by: Erik Michelson <github@erik.michelson.eu> Signed-off-by: Erik Michelson <github@erik.michelson.eu> Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de> 2022-12-11 18:46:30 -05:00			`# SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file)`
			`#`
			`# SPDX-License-Identifier: AGPL-3.0-only`

			`name: Static Analysis`

			`on:`
			`push:`
			`branches: [ develop ]`
			`pull_request:`
			`branches: [ develop ]`
			`schedule:`
			`- cron: '0 7 * * 6'`

			`permissions:`
			`actions: read`
			`contents: read`
			`security-events: write`

			`jobs:`
			`njsscan:`
			`runs-on: ubuntu-latest`
			`name: Njsscan code scanning`
			`steps:`
			`- name: Checkout the code`
			`uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0`
			`- name: Scan with njsscan`
			`id: njsscan`
			`uses: ajinabraham/njsscan-action@d58d8b2f26322cd35a9efb8003baac517f226d81 # master`
			`with:`
			`args: '--sarif --output results.sarif src \|\| true'`
			`- name: Upload njsscan report`
chore(deps): update github/codeql-action action to v2.2.6 Signed-off-by: Renovate Bot <bot@renovateapp.com> 2023-03-11 03:05:21 -05:00			`uses: github/codeql-action/upload-sarif@16964e90ba004cdf0cd845b866b5df21038b7723 # v2.2.6`
misc: add turbo monorepo util Co-authored-by: Tilman Vatteroth <git@tilmanvatteroth.de> Co-authored-by: David Mehren <git@herrmehren.de> Co-authored-by: Erik Michelson <github@erik.michelson.eu> Signed-off-by: Erik Michelson <github@erik.michelson.eu> Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de> 2022-12-11 18:46:30 -05:00			`with:`
			`sarif_file: results.sarif`

			`codeql:`
			`name: CodeQL analysis`
			`runs-on: ubuntu-latest`

			`strategy:`
			`fail-fast: false`
			`matrix:`
			`language: [ 'javascript' ]`
			`# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]`

			`steps:`
			`- name: Checkout repository`
			`uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0`

			`- name: Initialize CodeQL`
chore(deps): update github/codeql-action action to v2.2.6 Signed-off-by: Renovate Bot <bot@renovateapp.com> 2023-03-11 03:05:21 -05:00			`uses: github/codeql-action/init@16964e90ba004cdf0cd845b866b5df21038b7723 # v2.2.6`
misc: add turbo monorepo util Co-authored-by: Tilman Vatteroth <git@tilmanvatteroth.de> Co-authored-by: David Mehren <git@herrmehren.de> Co-authored-by: Erik Michelson <github@erik.michelson.eu> Signed-off-by: Erik Michelson <github@erik.michelson.eu> Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de> 2022-12-11 18:46:30 -05:00			`with:`
			`languages: ${{ matrix.language }}`
			`queries: +security-and-quality`

			`- name: Autobuild`
chore(deps): update github/codeql-action action to v2.2.6 Signed-off-by: Renovate Bot <bot@renovateapp.com> 2023-03-11 03:05:21 -05:00			`uses: github/codeql-action/autobuild@16964e90ba004cdf0cd845b866b5df21038b7723 # v2.2.6`
misc: add turbo monorepo util Co-authored-by: Tilman Vatteroth <git@tilmanvatteroth.de> Co-authored-by: David Mehren <git@herrmehren.de> Co-authored-by: Erik Michelson <github@erik.michelson.eu> Signed-off-by: Erik Michelson <github@erik.michelson.eu> Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de> 2022-12-11 18:46:30 -05:00
			`- name: Perform CodeQL Analysis`
chore(deps): update github/codeql-action action to v2.2.6 Signed-off-by: Renovate Bot <bot@renovateapp.com> 2023-03-11 03:05:21 -05:00			`uses: github/codeql-action/analyze@16964e90ba004cdf0cd845b866b5df21038b7723 # v2.2.6`
misc: add turbo monorepo util Co-authored-by: Tilman Vatteroth <git@tilmanvatteroth.de> Co-authored-by: David Mehren <git@herrmehren.de> Co-authored-by: Erik Michelson <github@erik.michelson.eu> Signed-off-by: Erik Michelson <github@erik.michelson.eu> Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de> 2022-12-11 18:46:30 -05:00			`with:`
			`category: "/language:${{ matrix.language }}"`