This action analyze submitted CodeQL Query against Pre-defined Databases from public project, and return sarif report to folder
name: CodeQL Scan
id: scan
uses: pqcee/QCVE-action@v1.0.0
with:
username: 'john'
report: '${{ github.workspace }}/output/john'
query: '${{ github.workspace }}/queries/john'
database: 'openssl'
number: 1
username
: the name of the owner of the query.report
: location of generated sarif report.query
: location of submitted query.database
: selected database to analyze.number
: unique request number
openssl
: database languangejavascript
.bitcoin
: database languangejavascript
.
-
Create new folder inside
action/databases
directory with following format name{project-name}-{language}
for exampleopenssl-cpp
-
Go to your project root directory (the project that you want to generate QL Database from it), and run CodeQL CLI command to generate new database
codeql database create ./database --language=cpp
-
Open folder database inside your project directory, copy all generated database content to
action/databases/openssl-cpp
directory -
For better documentation, please make sure you add your new database name to Readme.md file
-
Commit, add new Tag and push changes back to repository.
git add . git commit -m “commit message” git push origin git tag v1.0.1 git push origin v1.0.1
-
You need to update your workflow step inside qcve runner repository, open
.github/workflows/main.yml
-
Find section called
CodeQL Scan
, change the tag version of the Action to match tag you add previously -
Next, you can try to add new query to analyze Your new database