Merge pull request #45 from GitHubSecurityLab/geekmasher-configs

GeekMasher · web-flow · commit ffbddb130646 · 2024-02-19T09:46:26.000Z
CodeQL Configurations
diff --git a/.github/scripts/pr-configs.sh b/.github/scripts/pr-configs.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+set -euo pipefail
+
+PR_NUMBER=${1}
+
+codeql_code="/tmp/codeql-test-code"
+codeql_db="/tmp/codeql-test-database"
+
+for file in $(gh pr view $PR_NUMBER --json files --jq '.files.[].path'); do
+    if [[ ! -f "$file" ]]; then
+        continue
+    fi
+
+    # config file
+    if [[ "$file" == configs/*.yml ]]; then
+        echo "[+] Compiling Config :: $file"
+
+        if [[ -d "$codeql_db" ]]; then
+            rm -rf "$codeql_db"
+        fi
+
+        mkdir -p "$codeql_code"
+        echo "print('Hello, World!')" > "$codeql_code/main.py"
+
+        codeql database create \
+            --source-root=$codeql_code \
+            --language=python \
+            --codescanning-config=$file \
+            "$codeql_db"
+    fi
+done
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -141,3 +141,34 @@ jobs:
           codeql pack install "${{ matrix.language }}/ext-library-sources/"
           codeql pack create "${{ matrix.language }}/ext-library-sources/"
 
+  configs:
+    runs-on: ubuntu-latest
+    needs: compile
+    
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50
+        id: changes
+        with:
+          filters: |
+            src:
+              - 'configs/**'
+      
+      - name: Initialize CodeQL
+        if: steps.changes.outputs.src == 'true'
+        run: |
+          VERSION="$(find "${{ runner.tool_cache }}/CodeQL/" -maxdepth 1 -mindepth 1 -type d -print \
+                       | sort \
+                       | tail -n 1 \
+                       | tr -d '\n')"
+          echo "$VERSION/x64/codeql" >> $GITHUB_PATH
+
+      - name: "Check Configurations"
+        if: steps.changes.outputs.src == 'true'
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          ./.github/scripts/pr-configs.sh "${{ github.event.number }}"
+
+
diff --git a/README.md b/README.md
@@ -33,6 +33,18 @@ Using a `githubsecuritylab/codeql-LANG-queries` query pack will reference the de
     packs: githubsecuritylab/codeql-${{ matrix.language }}-queries
 ```
 
+### Using community packs with provided configuration file
+
+This repository has a number of [provided configuration files][configurations] you can use or copy from the community packs.
+
+```yaml
+- name: Initialize CodeQL
+  uses: github/codeql-action/init@v2
+  with:
+    languages: ${{ matrix.language }}
+    config-file: GitHubSecurityLab/CodeQL-Community-Packs/configs/default.yml@main
+```
+
 ### Using a community pack from the CLI configuration file
 
 ```bash
@@ -54,3 +66,7 @@ This project is licensed under the terms of the MIT open source license. Please
 ## Support
 
 Please [create GitHub issues](https://github.com/advanced-security/brew-dependency-submission-action) for any feature requests, bugs, or documentation problems.
+
+<!-- Resources / Links -->
+
+[configurations]: ./configs
diff --git a/configs/README.md b/configs/README.md
@@ -0,0 +1,13 @@
+# Community Configurations
+
+## Default / CodeQL
+
+The `default.yml` configuration is the default config file used to make it easy to use the CodeQL Community Packs.
+
+## Audit
+
+The `audit.yml` configuration is used primary to audit code by running a number of audit queries with CodeQL.
+These are based on the suite in each language suites folder called `{LANG}-audit.qls`
+
+> [!NOTE]
+> Current Ruby and Swift are not supported
diff --git a/configs/audit.yml b/configs/audit.yml
@@ -0,0 +1,22 @@
+name: "GitHub Community Pack Audit Configuration"
+
+packs:
+  # C/C++
+  - githubsecuritylab/codeql-cpp-queries:suites/cpp-audit.qls
+  # C#
+  - githubsecuritylab/codeql-csharp-queries:suites/csharp-audit.qls
+  - githubsecuritylab/codeql-csharp-extensions
+  - githubsecuritylab/codeql-csharp-library-sources
+  # Go
+  - githubsecuritylab/codeql-go-queries:suites/go-audit.qls
+  # Java
+  - githubsecuritylab/codeql-java-queries:suites/java-audit.qls
+  - githubsecuritylab/codeql-java-extensions
+  - githubsecuritylab/codeql-java-library-sources
+  # JavaScript / Typescript
+  - githubsecuritylab/codeql-javascript-queries:suites/javascript-audit.qls
+  # Python
+  - githubsecuritylab/codeql-python-queries:suites/python-audit.qls
+  # Ruby
+  # - githubsecuritylab/codeql-ruby-queries:suites/ruby-audit.qls
+
diff --git a/configs/default.yml b/configs/default.yml
@@ -0,0 +1,22 @@
+name: "GitHub Community Pack Default CodeQL Configuration"
+
+packs:
+  # C/C++
+  - githubsecuritylab/codeql-cpp-queries
+  # C#
+  - githubsecuritylab/codeql-csharp-queries
+  - githubsecuritylab/codeql-csharp-extensions
+  - githubsecuritylab/codeql-csharp-library-sources
+  # Go
+  - githubsecuritylab/codeql-go-queries
+  # Java
+  - githubsecuritylab/codeql-java-queries
+  - githubsecuritylab/codeql-java-extensions
+  - githubsecuritylab/codeql-java-library-sources
+  # JavaScript / Typescript
+  - githubsecuritylab/codeql-javascript-queries
+  # Python
+  - githubsecuritylab/codeql-python-queries
+  # Ruby
+  - githubsecuritylab/codeql-ruby-queries
+
