.github/workflows/codeql.yml - external/github.com/intel/ittapi - Git at Google

 name: "CodeQL"

 on:
   push:
     branches: ["master"]
   pull_request:
     branches: ["master"]
   schedule:
     # Run every Monday at midnight
     - cron: "0 0 * * 1"

 permissions:
   contents: read

 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
     permissions:
       actions: read
       contents: read
       security-events: write

     strategy:
       fail-fast: false
       matrix:
         language: ["cpp", "python"]

     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

       - name: Initialize CodeQL
         uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
         with:
           languages: ${{ matrix.language }}

       - name: Autobuild
         uses: github/codeql-action/autobuild@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9

       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
         with:
           category: "/language:${{matrix.language}}"

       - name: Generate CodeQL Security Report
         uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4
         with:
           template: report
           token: ${{ secrets.GITHUB_TOKEN }}

       - name: Upload CodeQL Security Report
         uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: codeql-report-${{ matrix.language }}
           path: report.pdf

   analyze_rust:
     name: Analyze (Rust)
     runs-on: ubuntu-latest
     permissions:
       contents: read
       security-events: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

       - name: Install clippy
         run: rustup component add clippy

       - name: Install cargo-binstall
         uses: cargo-bins/cargo-binstall@e7cc28468cf17df7cb288daea80c0c5437af360b # 1.16.7

       - name: Install dependencies
         run: cargo binstall --no-confirm clippy-sarif sarif-fmt

       - name: Run clippy
         working-directory: rust
         run: |
           cargo clippy --all-features --message-format=json > clippy.json
           sed --in-place 's/"file_name":"itt/"file_name":"rust\/itt/g' clippy.json
           clippy-sarif --input clippy.json --output clippy.sarif
         continue-on-error: true

       - name: Print SARIF
         run: sarif-fmt --input rust/clippy.sarif

       - name: Upload analysis
         uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
         with:
           sarif_file: rust/clippy.sarif
           wait-for-processing: true

   analyze_bandit:
     name: Analyze (Bandit Scan)
     runs-on: ubuntu-latest
     permissions:
       actions: read
       contents: read
       security-events: write

     steps:
       - name: Install dependencies
         run: pip install sarif-tools

       - name: Perform Bandit Analysis
         uses: PyCQA/bandit-action@67a458d90fa11fb1463e91e7f4c8f068b5863c7f # v1.0.1
         continue-on-error: true
         with:
           targets: "python"

       - name: Convert SARIF report to HTML
         run: sarif html --output bandit-report.html results.sarif

       - name: Upload Bandit Scan report
         uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: bandit-report
           path: bandit-report.html
	name: "CodeQL"

	on:
	push:
	branches: ["master"]
	pull_request:
	branches: ["master"]
	schedule:
	# Run every Monday at midnight
	- cron: "0 0 * * 1"

	permissions:
	contents: read

	jobs:
	analyze:
	name: Analyze
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	security-events: write

	strategy:
	fail-fast: false
	matrix:
	language: ["cpp", "python"]

	steps:
	- name: Checkout repository
	uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

	- name: Initialize CodeQL
	uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
	with:
	languages: ${{ matrix.language }}

	- name: Autobuild
	uses: github/codeql-action/autobuild@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
	with:
	category: "/language:${{matrix.language}}"

	- name: Generate CodeQL Security Report
	uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4
	with:
	template: report
	token: ${{ secrets.GITHUB_TOKEN }}

	- name: Upload CodeQL Security Report
	uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
	with:
	name: codeql-report-${{ matrix.language }}
	path: report.pdf

	analyze_rust:
	name: Analyze (Rust)
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write
	steps:
	- name: Checkout repository
	uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

	- name: Install clippy
	run: rustup component add clippy

	- name: Install cargo-binstall
	uses: cargo-bins/cargo-binstall@e7cc28468cf17df7cb288daea80c0c5437af360b # 1.16.7

	- name: Install dependencies
	run: cargo binstall --no-confirm clippy-sarif sarif-fmt

	- name: Run clippy
	working-directory: rust
	run: \|
	cargo clippy --all-features --message-format=json > clippy.json
	sed --in-place 's/"file_name":"itt/"file_name":"rust\/itt/g' clippy.json
	clippy-sarif --input clippy.json --output clippy.sarif
	continue-on-error: true

	- name: Print SARIF
	run: sarif-fmt --input rust/clippy.sarif

	- name: Upload analysis
	uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
	with:
	sarif_file: rust/clippy.sarif
	wait-for-processing: true

	analyze_bandit:
	name: Analyze (Bandit Scan)
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	security-events: write

	steps:
	- name: Install dependencies
	run: pip install sarif-tools

	- name: Perform Bandit Analysis
	uses: PyCQA/bandit-action@67a458d90fa11fb1463e91e7f4c8f068b5863c7f # v1.0.1
	continue-on-error: true
	with:
	targets: "python"

	- name: Convert SARIF report to HTML
	run: sarif html --output bandit-report.html results.sarif

	- name: Upload Bandit Scan report
	uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
	with:
	name: bandit-report
	path: bandit-report.html