CodeQL Analysis #4549
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CodeQL Analysis | |
| # Security scanning should run on all branches and on schedule | |
| on: | |
| # push: | |
| # branches: | |
| # - '**' # All branches - security issues can be on any branch | |
| # paths-ignore: | |
| # - 'docs/**' | |
| # pull_request: | |
| # paths-ignore: | |
| # - 'docs/**' | |
| workflow_dispatch: # Manual trigger for on-demand security scans | |
| schedule: | |
| - cron: '0 8 1 * *' # Monthly at 8 AM UTC - catches new vulnerabilities | |
| jobs: | |
| analyze: | |
| name: CodeQL Analysis | |
| runs-on: ubuntu-latest | |
| # Required permissions for CodeQL to read code and write security alerts | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| # v6 uses Node.js 24 (v4 uses deprecated Node.js 20) | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| # v5 uses Node.js 24, 'ga' ensures stable .NET 10 release | |
| - name: Setup .NET | |
| uses: actions/setup-dotnet@v5 | |
| with: | |
| dotnet-version: '10.0.x' | |
| dotnet-quality: 'ga' # General Availability - stable release | |
| # v4 uses Node.js 24, security-and-quality includes more checks | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: csharp | |
| queries: security-and-quality # Extended query suite for better coverage | |
| # Manual build gives more control than autobuild | |
| - name: Restore dependencies | |
| run: dotnet restore ./Clean.Architecture.slnx | |
| # Release config for production-like analysis | |
| - name: Build | |
| run: dotnet build ./Clean.Architecture.slnx --configuration Release --no-restore | |
| # v4 uses Node.js 24 - performs the actual security analysis | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 |