ci(code-ql): add code ql analysis on pr on develop (#506)

antoinezanardi · Sep 21, 2023 · 5c5498a · 5c5498a
1 parent 6f3ec94
commit 5c5498a
Show file tree

Hide file tree

Showing 3 changed files with 68 additions and 9 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -8,6 +8,32 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 jobs:
+  code-ql:
+    name: CodeQL Scan ❇️
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout GitHub repository 📡
+        uses: actions/checkout@v3
+
+      - name: Initialize CodeQL ⚙️
+        uses: github/codeql-action/init@v2
+        with:
+          languages: javascript
+
+      - name: AutoBuild 🌡️
+        uses: github/codeql-action/autobuild@v2
+
+      - name: Perform CodeQL Analysis ❇️
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:javascript"
+
   install:
     name: Install ⚙️
     runs-on: ubuntu-latest
@@ -28,6 +54,7 @@ jobs:
       - name: Install project dependencies 📦
         run: npm ci --ignore-scripts
         if: steps.cache-node-modules.outputs.cache-hit != 'true'
+
   build:
     name: Build ✨
     runs-on: ubuntu-latest
@@ -49,6 +76,7 @@ jobs:
           key: ${{ runner.os }}-npm-v3-${{ hashFiles('package-lock.json') }}
       - name: Build app ✨
         run: npm run build
+
   lint:
     name: Lint 🔍
     runs-on: ubuntu-latest
@@ -70,6 +98,7 @@ jobs:
           key: ${{ runner.os }}-npm-v3-${{ hashFiles('package-lock.json') }}
       - name: Check and lint code 🔍
         run: npm run lint
+
   unit-tests:
     name: Unit Tests 🧪
     runs-on: ubuntu-latest
@@ -91,6 +120,7 @@ jobs:
           key: ${{ runner.os }}-npm-v3-${{ hashFiles('package-lock.json') }}
       - name: Unit tests 🧪
         run: npm run test:unit:cov
+
   e2e-tests:
     name: E2E Tests ⚗️
     runs-on: ubuntu-latest
@@ -116,6 +146,7 @@ jobs:
         run: npm run test:e2e:cov
       - name: Stop Docker containers 🐳
         run: npm run docker:test:stop
+
   all-tests:
     name: All Tests 🧬
     runs-on: ubuntu-latest
@@ -147,6 +178,7 @@ jobs:
           key: ${{ runner.os }}-tests-coverage-v3-${{hashFiles('tests/coverage/lcov.info')}}
       - name: Stop Docker containers 🐳
         run: npm run docker:test:stop
+
   mutant-tests:
     name: Mutant Tests 👽
     runs-on: ubuntu-latest
@@ -175,6 +207,7 @@ jobs:
         run: npm run test:stryker
       - name: Stop Docker containers 🐳
         run: npm run docker:test:stop
+
   acceptance-tests:
     name: Acceptance Tests 🥒
     runs-on: ubuntu-latest
@@ -200,6 +233,7 @@ jobs:
         run: npm run test:cucumber
       - name: Stop Docker containers 🐳
         run: npm run docker:test:stop
+
   sonarcloud:
     name: SonarCloud Analysis 🌥️
     runs-on: ubuntu-latest

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -13,6 +13,32 @@ env:
   GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}
 
 jobs:
+  code-ql:
+    name: CodeQL Scan ❇️
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout GitHub repository 📡
+        uses: actions/checkout@v3
+
+      - name: Initialize CodeQL ⚙️
+        uses: github/codeql-action/init@v2
+        with:
+          languages: javascript
+
+      - name: AutoBuild 🌡️
+        uses: github/codeql-action/autobuild@v2
+
+      - name: Perform CodeQL Analysis ❇️
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:javascript"
+
   install:
     name: Install ⚙️
     runs-on: ubuntu-latest

diff --git a/README.md b/README.md
@@ -175,29 +175,28 @@ npm run lint:staged
 
 ### 🥇 Project quality scanner
 
+Multiple tools are set up to maintain the best code quality and to prevent vulnerabilities :
+
+![CodeQL](https://img.shields.io/badge/-CodeQL-black?style=for-the-badge&logoColor=white&logo=github&color=2781FE)
+
+You can check the **[CodeQL analysis report here](https://github.com/antoinezanardi/werewolves-assistant-api-next/security/code-scanning)**.
+
 ![SonarCloud](https://img.shields.io/badge/-SonarCloud-black?style=for-the-badge&logoColor=white&logo=sonarcloud&color=F37A3A)
 
-[![Coverage](https://sonarcloud.io/api/project_badges/measure?project=antoinezanardi_werewolves-assistant-api-next&metric=coverage)](https://sonarcloud.io/summary/new_code?id=antoinezanardi_werewolves-assistant-api-next)
+SonarCloud summary is available **[here](https://sonarcloud.io/summary/new_code?id=antoinezanardi_werewolves-assistant-api-next)**.
 
+[![Coverage](https://sonarcloud.io/api/project_badges/measure?project=antoinezanardi_werewolves-assistant-api-next&metric=coverage)](https://sonarcloud.io/summary/new_code?id=antoinezanardi_werewolves-assistant-api-next)
 [![Duplicated Lines (%)](https://sonarcloud.io/api/project_badges/measure?project=antoinezanardi_werewolves-assistant-api-next&metric=duplicated_lines_density)](https://sonarcloud.io/summary/new_code?id=antoinezanardi_werewolves-assistant-api-next)
-
 [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=antoinezanardi_werewolves-assistant-api-next&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=antoinezanardi_werewolves-assistant-api-next)
 
 [![Technical Debt](https://sonarcloud.io/api/project_badges/measure?project=antoinezanardi_werewolves-assistant-api-next&metric=sqale_index)](https://sonarcloud.io/summary/new_code?id=antoinezanardi_werewolves-assistant-api-next)
-
 [![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=antoinezanardi_werewolves-assistant-api-next&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=antoinezanardi_werewolves-assistant-api-next)
-
 [![Code Smells](https://sonarcloud.io/api/project_badges/measure?project=antoinezanardi_werewolves-assistant-api-next&metric=code_smells)](https://sonarcloud.io/summary/new_code?id=antoinezanardi_werewolves-assistant-api-next)
 
 [![Reliability Rating](https://sonarcloud.io/api/project_badges/measure?project=antoinezanardi_werewolves-assistant-api-next&metric=reliability_rating)](https://sonarcloud.io/summary/new_code?id=antoinezanardi_werewolves-assistant-api-next)
-
 [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=antoinezanardi_werewolves-assistant-api-next&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=antoinezanardi_werewolves-assistant-api-next)
-
 [![Bugs](https://sonarcloud.io/api/project_badges/measure?project=antoinezanardi_werewolves-assistant-api-next&metric=bugs)](https://sonarcloud.io/summary/new_code?id=antoinezanardi_werewolves-assistant-api-next)
 
-
-
-
 ## <a name="versions">📈 Releases & Changelog</a>
 
 Releases on **main** branch are generated and published automatically by :