From 67dc01b636c6ed5bcd41635b2aae68123219d4f3 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 29 Aug 2025 18:05:47 +0100 Subject: [PATCH 1/6] Actions: Add successfully extracted files query --- .../src/Diagnostics/SuccessfullyExtractedFiles.ql | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql diff --git a/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql b/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql new file mode 100644 index 000000000000..eebf889a3885 --- /dev/null +++ b/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql @@ -0,0 +1,13 @@ +/** + * @id actions/diagnostics/successfully-extracted-files + * @name Extracted files + * @description List all files that were extracted. + * @kind diagnostic + * @tags successfully-extracted-files + */ + +private import codeql.Locations + +from File f +where exists(f.getRelativePath()) +select f, "" From 71bac5eda88d29c02e6c3400bb3b6cf854e5c19d Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 29 Aug 2025 20:10:20 +0100 Subject: [PATCH 2/6] Actions: Add file coverage baseline --- actions/extractor/codeql-extractor.yml | 3 ++- actions/extractor/tools/baseline-config.json | 10 ++++++++++ actions/extractor/tools/configure-baseline.cmd | 2 ++ actions/extractor/tools/configure-baseline.sh | 3 +++ 4 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 actions/extractor/tools/baseline-config.json create mode 100755 actions/extractor/tools/configure-baseline.cmd create mode 100755 actions/extractor/tools/configure-baseline.sh diff --git a/actions/extractor/codeql-extractor.yml b/actions/extractor/codeql-extractor.yml index ab7374910054..ed3d54173234 100644 --- a/actions/extractor/codeql-extractor.yml +++ b/actions/extractor/codeql-extractor.yml @@ -8,7 +8,8 @@ build_modes: - none file_coverage_languages: [] github_api_languages: [] -scc_languages: [] +scc_languages: + - YAML file_types: - name: workflow display_name: GitHub Actions workflow files diff --git a/actions/extractor/tools/baseline-config.json b/actions/extractor/tools/baseline-config.json new file mode 100644 index 000000000000..fde0bd1ecdff --- /dev/null +++ b/actions/extractor/tools/baseline-config.json @@ -0,0 +1,10 @@ +{ + "paths": [ + ".github/workflows/*.yml", + ".github/workflows/*.yaml", + ".github/reusable_workflows/**/*.yml", + ".github/reusable_workflows/**/*.yaml", + "**/action.yml", + "**/action.yaml" + ] +} diff --git a/actions/extractor/tools/configure-baseline.cmd b/actions/extractor/tools/configure-baseline.cmd new file mode 100755 index 000000000000..b9c1b3f7a028 --- /dev/null +++ b/actions/extractor/tools/configure-baseline.cmd @@ -0,0 +1,2 @@ +@echo off +type "%CODEQL_EXTRACTOR_ACTIONS_ROOT%\tools\baseline-config.json" diff --git a/actions/extractor/tools/configure-baseline.sh b/actions/extractor/tools/configure-baseline.sh new file mode 100755 index 000000000000..6fd7605ef3f9 --- /dev/null +++ b/actions/extractor/tools/configure-baseline.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +cat "$CODEQL_EXTRACTOR_ACTIONS_ROOT/tools/baseline-config.json" From a6fb45b9cb4b287a89f0ed710c595233bc0a75b7 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 5 Sep 2025 13:13:43 +0100 Subject: [PATCH 3/6] Update expected files --- .../query-suite/actions-code-scanning.qls.expected | 1 + .../query-suite/actions-security-and-quality.qls.expected | 1 + .../query-suite/actions-security-extended.qls.expected | 1 + 3 files changed, 3 insertions(+) diff --git a/actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected b/actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected index 4a12174ffbda..90ee8a79483c 100644 --- a/actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected +++ b/actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected @@ -1,3 +1,4 @@ +ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql diff --git a/actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected b/actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected index d071a33c1861..111fc3e45243 100644 --- a/actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected +++ b/actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected @@ -1,4 +1,5 @@ ql/actions/ql/src/Debug/SyntaxError.ql +ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql diff --git a/actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected b/actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected index 06a9c6745e48..6ee3140d0706 100644 --- a/actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected +++ b/actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected @@ -1,3 +1,4 @@ +ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql From e7fbd28505ceebba982a7593a03b2a47ad217fc0 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 5 Sep 2025 14:48:12 +0100 Subject: [PATCH 4/6] Add changelog note --- actions/ql/src/change-notes/file-coverage.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 actions/ql/src/change-notes/file-coverage.md diff --git a/actions/ql/src/change-notes/file-coverage.md b/actions/ql/src/change-notes/file-coverage.md new file mode 100644 index 000000000000..27f026146477 --- /dev/null +++ b/actions/ql/src/change-notes/file-coverage.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Actions analysis now reports file coverage information on the CodeQL status page. From 526990e01590f4602bad3caaf127f0762e176f87 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 5 Sep 2025 14:49:48 +0100 Subject: [PATCH 5/6] Add comment about GitHub API languages --- actions/extractor/codeql-extractor.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/actions/extractor/codeql-extractor.yml b/actions/extractor/codeql-extractor.yml index ed3d54173234..b8c6f7ed97b0 100644 --- a/actions/extractor/codeql-extractor.yml +++ b/actions/extractor/codeql-extractor.yml @@ -6,7 +6,8 @@ column_kind: "utf16" unicode_newlines: true build_modes: - none -file_coverage_languages: [] +# Actions workflows are not reported separately by the GitHub API, so we can't +# associate them with a specific language. github_api_languages: [] scc_languages: - YAML From fea05331aacbcf0fe3125321935229041b23875f Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 5 Sep 2025 14:51:28 +0100 Subject: [PATCH 6/6] Add date to changelog note filename --- .../{file-coverage.md => 2025-09-05-file-coverage.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename actions/ql/src/change-notes/{file-coverage.md => 2025-09-05-file-coverage.md} (100%) diff --git a/actions/ql/src/change-notes/file-coverage.md b/actions/ql/src/change-notes/2025-09-05-file-coverage.md similarity index 100% rename from actions/ql/src/change-notes/file-coverage.md rename to actions/ql/src/change-notes/2025-09-05-file-coverage.md