diff --git a/actions/extractor/codeql-extractor.yml b/actions/extractor/codeql-extractor.yml index a1b08602f32b..376abe32597b 100644 --- a/actions/extractor/codeql-extractor.yml +++ b/actions/extractor/codeql-extractor.yml @@ -1,5 +1,4 @@ name: "actions" -aliases: [] display_name: "GitHub Actions" version: 0.0.1 column_kind: "utf16" @@ -8,9 +7,11 @@ build_modes: - none default_queries: - codeql/actions-queries -file_coverage_languages: [] +# Actions workflows are not reported separately by the GitHub API, so we can't +# associate them with a specific language. github_api_languages: [] -scc_languages: [] +scc_languages: + - YAML file_types: - name: workflow display_name: GitHub Actions workflow files diff --git a/actions/extractor/tools/baseline-config.json b/actions/extractor/tools/baseline-config.json new file mode 100644 index 000000000000..fde0bd1ecdff --- /dev/null +++ b/actions/extractor/tools/baseline-config.json @@ -0,0 +1,10 @@ +{ + "paths": [ + ".github/workflows/*.yml", + ".github/workflows/*.yaml", + ".github/reusable_workflows/**/*.yml", + ".github/reusable_workflows/**/*.yaml", + "**/action.yml", + "**/action.yaml" + ] +} diff --git a/actions/extractor/tools/configure-baseline.cmd b/actions/extractor/tools/configure-baseline.cmd new file mode 100755 index 000000000000..b9c1b3f7a028 --- /dev/null +++ b/actions/extractor/tools/configure-baseline.cmd @@ -0,0 +1,2 @@ +@echo off +type "%CODEQL_EXTRACTOR_ACTIONS_ROOT%\tools\baseline-config.json" diff --git a/actions/extractor/tools/configure-baseline.sh b/actions/extractor/tools/configure-baseline.sh new file mode 100755 index 000000000000..6fd7605ef3f9 --- /dev/null +++ b/actions/extractor/tools/configure-baseline.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +cat "$CODEQL_EXTRACTOR_ACTIONS_ROOT/tools/baseline-config.json" diff --git a/actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected b/actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected index 4a12174ffbda..90ee8a79483c 100644 --- a/actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected +++ b/actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected @@ -1,3 +1,4 @@ +ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql diff --git a/actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected b/actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected index d071a33c1861..111fc3e45243 100644 --- a/actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected +++ b/actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected @@ -1,4 +1,5 @@ ql/actions/ql/src/Debug/SyntaxError.ql +ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql diff --git a/actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected b/actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected index 06a9c6745e48..6ee3140d0706 100644 --- a/actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected +++ b/actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected @@ -1,3 +1,4 @@ +ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql diff --git a/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql b/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql new file mode 100644 index 000000000000..eebf889a3885 --- /dev/null +++ b/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql @@ -0,0 +1,13 @@ +/** + * @id actions/diagnostics/successfully-extracted-files + * @name Extracted files + * @description List all files that were extracted. + * @kind diagnostic + * @tags successfully-extracted-files + */ + +private import codeql.Locations + +from File f +where exists(f.getRelativePath()) +select f, "" diff --git a/actions/ql/src/change-notes/2025-09-05-file-coverage.md b/actions/ql/src/change-notes/2025-09-05-file-coverage.md new file mode 100644 index 000000000000..27f026146477 --- /dev/null +++ b/actions/ql/src/change-notes/2025-09-05-file-coverage.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Actions analysis now reports file coverage information on the CodeQL status page.