Skip to content

pqcee/qcve-action

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

QCVE - Code Scanning Example

This action analyze submitted CodeQL Query against Pre-defined Databases from public project, and return sarif report to folder

Example usage

name: CodeQL Scan
id: scan
uses: pqcee/QCVE-action@v1.0.0
with:
  username: 'john'
  report: '${{ github.workspace }}/output/john'
  query: '${{ github.workspace }}/queries/john'
  database: 'openssl'
  number: 1

Inputs

  • username: the name of the owner of the query.
  • report: location of generated sarif report.
  • query: location of submitted query.
  • database: selected database to analyze.
  • number: unique request number

Available databases

  • openssl: database languange javascript.
  • bitcoin: database languange javascript.

Add New Database

  • Create new folder inside action/databases directory with following format name {project-name}-{language} for example openssl-cpp figure1

  • Go to your project root directory (the project that you want to generate QL Database from it), and run CodeQL CLI command to generate new database

    codeql database create ./database --language=cpp
    
  • Open folder database inside your project directory, copy all generated database content to action/databases/openssl-cpp directory figure2

  • For better documentation, please make sure you add your new database name to Readme.md file figure3

  • Commit, add new Tag and push changes back to repository.

    git add .
    git commit -m “commit message”
    git push origin
    git tag v1.0.1
    git push origin v1.0.1
    
  • You need to update your workflow step inside qcve runner repository, open .github/workflows/main.yml figure4

  • Find section called CodeQL Scan, change the tag version of the Action to match tag you add previously

    figure5

  • Next, you can try to add new query to analyze Your new database