Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update README with detailed information #2415

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Update README with detailed information #2415

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d5ec7f0
Update README with detailed information
aeisenberg Aug 7, 2024
0f63fee
Clean up README
aeisenberg Aug 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 39 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,48 @@ We recommend using default setup to configure CodeQL analysis for your repositor

You can also configure advanced setup for a repository to find security vulnerabilities in your code using a highly customizable code scanning configuration. For more information, see "[Configuring advanced setup for code scanning](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)" and "[Customizing your advanced setup for code scanning](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)."

### Permissions
### Actions

This repository contains several actions that enable you to create and upload your CodeQL analyses to GitHub Code Scanning. Also, you can upload analyses generated by any SARIF-producing SAST tool using actions in this repository.

Actions for CodeQL analyses:

- `init`: Sets up CodeQL for analysis. For information about input parameters, see the [init action definition](https://github.com/github/codeql-action/blob/main/init/action.yml).
- `analyze`: Finalizes the CodeQL database and runs the analysis. For information about input parameters, see the [analyze action definition](https://github.com/github/codeql-action/blob/main/analyze/action.yml).

Actions for uploading analyses generated by third-party tools:

- `upload-sarif`: Uploads a SARIF file to Code Scanning. For information about input parameters, see the [upload-sarif action definition](https://github.com/github/codeql-action/blob/main/upload-sarif/action.yml).

Actions with special purposes and unlikely to be used directly:

- `autobuild`: Attempts to automatically build the code. Only used for analyzing languages that require a build. Now deprecated. Use the `build-mode: autobuild` input in the `init` action instead. For information about input parameters, see the [autobuild action definition](https://github.com/github/codeql-action/blob/main/autobuild/action.yml).
- `resolve-environment`: Attempts to infer a build environment suitable for automatic builds. For information about input parameters, see the [resolve-environment action definition](https://github.com/github/codeql-action/blob/main/resolve-environment/action.yml).
- `start-proxy`: Starts an HTTP proxy server for downloading dependencies in private registries. For information about input parameters, see the [start-proxy action definition](https://github.com/github/codeql-action/blob/main/start-proxy/action.yml).

### Workflow Permissions

All advanced setup code scanning workflows must have the `security-events: write` permission. Workflows in private repositories must additionally have the `contents: read` permission. For more information, see "[Assigning permissions to jobs](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs)."

### Build Modes

The CodeQL Action supports different build modes for analyzing the source code. The available build modes are:

- `none`: The database will be created without building the source code. Available for all interpreted languages and some compiled languages.
- `autobuild`: The database will be created by attempting to automatically build the source code. Available for all compiled languages.
- `manual`: The database will be created by building the source code using a manually specified build command. To use this build mode, specify manual build steps in your workflow between the `init` and `analyze` steps. Available for all compiled languages.

#### Which build mode should I use?

Interpreted languages must use `none` for the build mode.

For compiled languages:

- `manual` build mode will typically produce the most precise results, but it is more difficult to set up and will cause the analysis to take slightly more time to run.
- `autobuild` build mode is simple to set up, but will only work for projects with simple build steps that can be guessed by the heuristics of the autobuild scripts. If `autobuild` fails, then you must choose `manual` or `none`. If it works, then the results and run time will be the same as `manual` mode.
- `none` build mode is also simple to set up and is slightly faster to run, but there is a possibility that some alerts will be missed. This may happen if your repository does any code generation during compilation or if there are any dependencies downloaded from registries that the workflow does not have access to. Also, `none` is not yet supported by C/C++, Swift, Go, or Kotlin.


## Supported versions of the CodeQL Action

The following versions of the CodeQL Action are currently supported:
Expand Down
Loading