ruby/.github/workflows/check_sast.yml at master · nobu/ruby · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
name: 'Check SAST tool'

on:
  push:
    branches: ['master']
    paths-ignore:
      - 'doc/**'
      - '**/man/*'
      - '**.md'
      - '**.rdoc'
      - '**/.document'
      - '.*.yml'
  pull_request:
    paths-ignore:
      - 'doc/**'
      - '**/man/*'
      - '**.md'
      - '**.rdoc'
      - '**/.document'
      - '.*.yml'
  schedule:
    - cron: '0 12 * * *'
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }} / ${{ startsWith(github.event_name, 'pull') && github.ref_name || github.sha }}
  cancel-in-progress: ${{ startsWith(github.event_name, 'pull') }}

permissions: # added using https://github.com/step-security/secure-workflows
  contents: read

jobs:
  zizmor:
    name: zizmor

    runs-on: ubuntu-latest

    permissions:
      contents: read
      security-events: write

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Run zizmor
        uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
        continue-on-error: true

  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      actions: read # for github/codeql-action/init to get workflow details
      contents: read # for actions/checkout to fetch code
      security-events: write # for github/codeql-action/autobuild to send a status report
    # CodeQL fails to run pull requests from dependabot due to missing write access to upload results.
    if: >-
      ${{!(false
      || contains(github.event.head_commit.message, '[DOC]')
      || contains(github.event.pull_request.title, '[DOC]')
      || contains(github.event.pull_request.labels.*.name, 'Documentation')
      || (github.event_name == 'push' && github.event.pull_request.user.login == 'dependabot[bot]')
      )}}

    env:
      enable_install_doc: no

    strategy:
      fail-fast: false
      matrix:
        include:
          - language: cpp
          - language: ruby

    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Install libraries
        if: ${{ contains(matrix.os, 'macos') }}
        uses: ./.github/actions/setup/macos

      - name: Install libraries
        if : ${{ matrix.os == 'ubuntu-latest' }}
        uses: ./.github/actions/setup/ubuntu

      - uses: ./.github/actions/setup/directories

      - name: Remove an obsolete rubygems vendored file
        if: ${{ matrix.os == 'ubuntu-latest' }}
        run: sudo rm /usr/lib/ruby/vendor_ruby/rubygems/defaults/operating_system.rb

      - name: Initialize CodeQL
        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
        with:
          languages: ${{ matrix.language }}
          trap-caching: false
          debug: true

      - name: Autobuild
        uses: github/codeql-action/autobuild@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
        with:
          category: '/language:${{ matrix.language }}'
          upload: False
          output: sarif-results

      - name: filter-sarif
        uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d # v1.0.1
        with:
          patterns: |
            +**/*.rb
            -lib/uri/mailto.rb:rb/overly-large-range
            -lib/uri/rfc3986_parser.rb:rb/overly-large-range
            -lib/bundler/vendor/uri/lib/uri/mailto.rb:rb/overly-large-range
            -lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb:rb/overly-large-range
            -test/ruby/test_io.rb:rb/non-constant-kernel-open
            -test/open-uri/test_open-uri.rb:rb/non-constant-kernel-open
            -test/open-uri/test_ssl.rb:rb/non-constant-kernel-open
            -spec/ruby/core/io/binread_spec.rb:rb/non-constant-kernel-open
            -spec/ruby/core/io/readlines_spec.rb:rb/non-constant-kernel-open
            -spec/ruby/core/io/foreach_spec.rb:rb/non-constant-kernel-open
            -spec/ruby/core/io/write_spec.rb:rb/non-constant-kernel-open
            -spec/ruby/core/io/read_spec.rb:rb/non-constant-kernel-open
            -spec/ruby/core/kernel/open_spec.rb:rb/non-constant-kernel-open
          input: sarif-results/${{ matrix.language }}.sarif
          output: sarif-results/${{ matrix.language }}.sarif
        if: ${{ matrix.language == 'ruby' }}
        continue-on-error: true

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
        with:
          sarif_file: sarif-results/${{ matrix.language }}.sarif
        continue-on-error: true