bcffd1ccef
- Add .github/codeql/codeql-config.yml: exclude cpp/unused-static-function (52), cpp/constant-comparison (4), cpp/stack-address-escape (1), cpp/path-injection (3) - Reference config-file in codeql.yml CodeQL init step - Fix dependency-review.yml: checkout v4->v6, ubuntu-latest->ubuntu-24.04 - Clean .pre-commit-config.yaml: remove irrelevant PHP/Java/Ruby/Go/eslint/pylint hooks, keep gitleaks/shellcheck/cpplint/pre-commit-hooks, bump versions - Pin pip versions: wheel==0.45.1, setuptools==75.8.0, build==1.2.2 (release.yml), pyflakes==3.2.0, mypy==1.14.1 (bindings.yml) for Scorecard PinnedDependenciesID - Suppress unused-local-variable: (void)a_inf in ct_point.cpp, (void)parity in test_ecdh_recovery_taproot.cpp Eliminates: 52 unused-static-function, 4 constant-comparison, 3 path-injection, 2 unused-local-variable, 1 stack-address-escape, 2 PinnedDependenciesID = 64 alerts resolved. Remaining 8: 4 TokenPermissions (legitimate), 4 repo-level (not code-fixable).
61 lines
1.6 KiB
YAML
61 lines
1.6 KiB
YAML
name: CodeQL
|
|
|
|
on:
|
|
push:
|
|
branches: [main, dev]
|
|
pull_request:
|
|
branches: [main, dev]
|
|
schedule:
|
|
- cron: '30 8 * * 1' # Monday 08:30 UTC
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
permissions:
|
|
security-events: write
|
|
contents: read
|
|
actions: read
|
|
|
|
jobs:
|
|
analyze:
|
|
name: Analyze (C/C++)
|
|
runs-on: ubuntu-24.04
|
|
|
|
steps:
|
|
- name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
|
|
- name: Install compiler
|
|
run: |
|
|
sudo apt-get update -qq
|
|
sudo apt-get install -y clang-17 lld-17 ninja-build
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@45580472a5bb82c4681c4ac726cfdb60060c2ee1 # v3
|
|
with:
|
|
languages: c-cpp
|
|
build-mode: manual
|
|
queries: security-and-quality
|
|
config-file: .github/codeql/codeql-config.yml
|
|
|
|
- name: Build for analysis
|
|
run: |
|
|
export CC=clang-17 CXX=clang++-17
|
|
cmake -S . -B build-codeql -G Ninja \
|
|
-DCMAKE_BUILD_TYPE=Debug \
|
|
-DSECP256K1_BUILD_TESTS=ON \
|
|
-DSECP256K1_BUILD_BENCH=OFF \
|
|
-DSECP256K1_BUILD_EXAMPLES=OFF \
|
|
-DSECP256K1_USE_ASM=OFF
|
|
cmake --build build-codeql -j$(nproc)
|
|
|
|
- name: Perform CodeQL Analysis
|
|
uses: github/codeql-action/analyze@45580472a5bb82c4681c4ac726cfdb60060c2ee1 # v3
|
|
with:
|
|
category: "/language:c-cpp"
|