From 2e571332a7baf264245f90991117c464e19f1d20 Mon Sep 17 00:00:00 2001 From: Misfit <218383634+JaclynCodes@users.noreply.github.com> Date: Thu, 18 Dec 2025 20:18:56 -0500 Subject: [PATCH 1/4] Add Codacy security scan workflow This workflow integrates Codacy security scans with GitHub Actions, checking code on push and pull requests to the main branch, and scheduling weekly scans. Signed-off-by: Misfit <218383634+JaclynCodes@users.noreply.github.com> --- .github/workflows/codacy.yml | 61 ++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 .github/workflows/codacy.yml diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml new file mode 100644 index 00000000000..1ffa8dcb608 --- /dev/null +++ b/.github/workflows/codacy.yml @@ -0,0 +1,61 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, performs a Codacy security scan +# and integrates the results with the +# GitHub Advanced Security code scanning feature. For more information on +# the Codacy security scan action usage and parameters, see +# https://github.com/codacy/codacy-analysis-cli-action. +# For more information on Codacy Analysis CLI in general, see +# https://github.com/codacy/codacy-analysis-cli. + +name: Codacy Security Scan + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '43 17 * * 0' + +permissions: + contents: read + +jobs: + codacy-security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Codacy Security Scan + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout code + uses: actions/checkout@v4 + + # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis + - name: Run Codacy Analysis CLI + uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b + with: + # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository + # You can also omit the token and run the tools that support default configurations + project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} + verbose: true + output: results.sarif + format: sarif + # Adjust severity of non-security issues + gh-code-scanning-compat: true + # Force 0 exit code to allow SARIF file generation + # This will handover control about PR rejection to the GitHub side + max-allowed-issues: 2147483647 + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF results file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif From 6c0dfce40cade21acd7b039746bdc9967859d588 Mon Sep 17 00:00:00 2001 From: Misfit <218383634+JaclynCodes@users.noreply.github.com> Date: Thu, 18 Dec 2025 20:31:15 -0500 Subject: [PATCH 2/4] Update .github/workflows/codacy.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Misfit <218383634+JaclynCodes@users.noreply.github.com> --- .github/workflows/codacy.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml index 1ffa8dcb608..59a6b08df45 100644 --- a/.github/workflows/codacy.yml +++ b/.github/workflows/codacy.yml @@ -40,6 +40,8 @@ jobs: # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis - name: Run Codacy Analysis CLI + # Pinned to a specific commit SHA for security; update this SHA when bumping the Codacy action version. + # When updating, look up and note the corresponding release tag for this commit in Codacy's repository. uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b with: # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository From 50949f7c779797f66a3ca9d5d47d4383324d8d6d Mon Sep 17 00:00:00 2001 From: Misfit <218383634+JaclynCodes@users.noreply.github.com> Date: Thu, 18 Dec 2025 20:33:10 -0500 Subject: [PATCH 3/4] Update .github/workflows/codacy.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Misfit <218383634+JaclynCodes@users.noreply.github.com> --- .github/workflows/codacy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml index 59a6b08df45..a3215b15c8a 100644 --- a/.github/workflows/codacy.yml +++ b/.github/workflows/codacy.yml @@ -36,7 +36,7 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v5 # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis - name: Run Codacy Analysis CLI From 16eef0ff998b75829d6b5f054daad1a57af0c22c Mon Sep 17 00:00:00 2001 From: Misfit <218383634+JaclynCodes@users.noreply.github.com> Date: Thu, 18 Dec 2025 20:33:54 -0500 Subject: [PATCH 4/4] Update .github/workflows/codacy.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Misfit <218383634+JaclynCodes@users.noreply.github.com> --- .github/workflows/codacy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml index a3215b15c8a..3eecb7cf558 100644 --- a/.github/workflows/codacy.yml +++ b/.github/workflows/codacy.yml @@ -53,7 +53,7 @@ jobs: # Adjust severity of non-security issues gh-code-scanning-compat: true # Force 0 exit code to allow SARIF file generation - # This will handover control about PR rejection to the GitHub side + # This will hand over control about PR rejection to the GitHub side max-allowed-issues: 2147483647 # Upload the SARIF file generated in the previous step