diff --git a/.github/workflows/cloud_code_scan.yml b/.github/workflows/cloud_code_scan.yml new file mode 100644 index 0000000..c870fb4 --- /dev/null +++ b/.github/workflows/cloud_code_scan.yml @@ -0,0 +1,25 @@ +# 此YAML文件定义了两个作业,分别用于进行安全扫描和开源合规的代码扫描,使用了相同的GitHub Action,并传入了不同的参数。 +name: Alipay Cloud Devops Codescan +on: + pull_request_target: +jobs: + # # stc作业使用了ubuntu-latest作为运行环境,包含了一个步骤(steps)codeScan,该步骤使用了layotto/alipay-cloud-devops-codescan@main作为GitHub Action,并传入了一些参数(parent_uid、private_key、code_type) + stc: # 安全扫描 + runs-on: ubuntu-latest + steps: + - name: codeScan + uses: layotto/alipay-cloud-devops-codescan@main + with: + parent_uid: ${{ secrets.ALI_PID }} + private_key: ${{ secrets.ALI_PK }} + scan_type: stc + # sca作业也使用了ubuntu-latest作为运行环境。sca作业也包含了一个步骤codeScan,使用了相同的GitHub Action,并传入了相同的参数。 + sca: # 开源合规 + runs-on: ubuntu-latest + steps: + - name: codeScan + uses: layotto/alipay-cloud-devops-codescan@main + with: + parent_uid: ${{ secrets.ALI_PID }} + private_key: ${{ secrets.ALI_PK }} + scan_type: sca diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000..c099487 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,56 @@ +name: Codeql Analysis 🌊 + +#每周五的凌晨 4 点触发执行。 +on: + schedule: + - cron: '0 4 * * 5' + +jobs: + # 该工作流程有一个名为 "analyse" 的任务,用于进行代码质量分析。 + analyse: + name: CodeQL + runs-on: ubuntu-latest # 任务运行在最新版的 Ubuntu 操作系统上。 + + steps: + - name: Checkout repository + # 首先,通过 "actions/checkout@v2" 动作将代码仓库检出到工作目录。 + uses: actions/checkout@v2 + with: + # We must fetch at least the immediate parents so that if this is + # a pull request then we can checkout the head. + fetch-depth: 2 + + # If this run was triggered by a pull request event, then checkout + # the head of the pull request instead of the merge commit. + # 如果该运行是由 pull request 事件触发的,则使用 "git checkout" 命令将代码检出到 pull request 的 head。 + - run: git checkout HEAD^2 + if: ${{ github.event_name == 'pull_request' }} + + # Initializes the CodeQL tools for scanning. + # 使用 "github/codeql-action/init@v1" 动作初始化 CodeQL 工具以进行扫描。 + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + # Override language selection by uncommenting this and choosing your languages + # with: + # languages: go, javascript, csharp, python, cpp, java + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + # 如果项目是编译语言(如 C/C++、C# 或 Java),则使用 "github/codeql-action/autobuild@v1" 动作尝试自动构建项目。 + - name: Autobuild + uses: github/codeql-action/autobuild@v1 + + # ℹ️ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + #- run: | + # make bootstrap + # make release + # 如果自动构建失败,则需要手动构建项目并将构建命令添加到这里。 + - name: Perform CodeQL Analysis + #最后,使用 "github/codeql-action/analyze@v1" 动作执行 CodeQL 分析。 + uses: github/codeql-action/analyze@v1