Merge branch 'main' into dependabot/github_actions/actions/labeler-6

Author: aegilops

.all-contributorsrc

@@ -56,6 +56,15 @@
         "design",
         "ideas"
       ]
+    },
+    {
+      "login": "ViktorLindstrm",
+      "name": "Viktor Lindström",
+      "avatar_url": "https://avatars.githubusercontent.com/u/3715582?v=4",
+      "profile": "https://github.com/ViktorLindstrm",
+      "contributions": [
+        "code"
+      ]
     }
   ]
-}
+}

.github/CODEOWNERS

@@ -1,3 +1,3 @@
-# This project is maintained with love by:
+# This project is maintained with love by
 
-- @geekmasher
+- @advanced-security/oss-maintainers

.github/action/src/codeql.ts

@@ -7,7 +7,7 @@ import * as github from "@actions/github";
 import * as toolrunner from "@actions/exec/lib/toolrunner";
 
 export const EXTRACTOR_REPOSITORY = "advanced-security/codeql-extractor-iac";
-export const EXTRACTOR_VERSION = "v0.4.1"; // stable version
+export const EXTRACTOR_VERSION = "v0.5.0"; // stable version
 
 export interface CodeQLConfig {
   // The path to the codeql bundle.

.github/dependabot.yml

@@ -5,19 +5,38 @@
 
 version: 2
 updates:
-  - package-ecosystem: "cargo"
+  - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
     reviewers:
-      - "geekmasher"
+      - "advanced-security/oss-maintainers"
+    target-branch: "main"
+    commit-message:
+      prefix: deps
+      prefix-development: chore
+    labels:
+      - "Dependencies"
     groups:
-      extractor:
+      production-dependencies:
         dependency-type: "production"
+      development-dependencies:
+        dependency-type: "development"
 
-  - package-ecosystem: "github-actions"
+  - package-ecosystem: "cargo"
     directory: "/"
     schedule:
       interval: "weekly"
     reviewers:
-      - "geekmasher"
+      - "advanced-security/oss-maintainers"
+    target-branch: "main"
+    commit-message:
+      prefix: deps
+      prefix-development: chore
+    labels:
+      - "Dependencies"
+    groups:
+      production-dependencies:
+        dependency-type: "production"
+      development-dependencies:
+        dependency-type: "development"

.github/workflows/build.yml

@@ -47,6 +47,9 @@ jobs:
 
           tar -zxf extractor-iac.tar.gz
 
+          chmod +x extractor-pack/tools/*.sh
+          chmod +x extractor-pack/tools/**/*          
+
       - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable
         if: steps.extractor-changes.outputs.src == 'true'
 
@@ -69,79 +72,80 @@ jobs:
         run: |
           ./scripts/run-tests.sh "ql/test/${{ matrix.test-folders }}"
 
-  scanning:
-    runs-on: ubuntu-latest
-    needs: [tests]
-
-    strategy:
-      matrix:
-        project: ["hashicorp/terraform-guides", "akamai/terraform-examples", "aws-samples/aws-sam-terraform-examples"]
-
-    steps:
-      - name: "Checkout"
-        uses: actions/checkout@v5
-        with:
-          submodules: true
-
-      - name: "Checkout"
-        uses: actions/checkout@v5
-        with:
-          repository: ${{ matrix.project }}
-          path: project
-
-      - name: "Check for changes"
-        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
-        id: extractor-changes
-        with:
-          filters: |
-            src:
-              - 'extractor/**'
-              - 'rust-toolchain.toml'
-              - 'Cargo.*'
-
-      - name: "Download Extracter"
-        if: steps.extractor-changes.outputs.src == 'false'
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          set -e
-          gh release list -L 1 -R "advanced-security/codeql-extractor-iac"
-
-          gh release download \
-              -R "advanced-security/codeql-extractor-iac" \
-              --clobber \
-              --pattern 'extractor-iac.tar.gz'
-
-          tar -zxf extractor-iac.tar.gz
-
-      - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable
-        if: steps.extractor-changes.outputs.src == 'true'
-
-      - name: "Build Extractor"
-        if: steps.extractor-changes.outputs.src == 'true'
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          set -e
-          gh extensions install github/gh-codeql
-          gh codeql set-version latest
-
-          ./scripts/create-extractor-pack.sh
-
-          gh codeql resolve languages --format=json --search-path ./extractor-pack
-
-      - name: "Run CodeQL Analysis"
-        env:
-          GH_TOKEN: ${{ github.token }}
-          PROJECT_REPO: ${{ matrix.project }}
-        run: |
-          set -e
-          gh extensions install github/gh-codeql
-          gh codeql set-version latest
-
-          gh codeql database create iac-db --language=iac --source-root=./project --search-path ./extractor-pack
-
-          gh codeql database analyze iac-db "advanced-security/iac-queries" --format=sarifv2.1.0 --output="iac-${PROJECT_REPO}.sarif"
+  # scanning:
+  #   runs-on: ubuntu-latest
+  #   needs: [tests]
+
+  #   strategy:
+  #     matrix:
+  #       # project: ["hashicorp/terraform-guides", "akamai/terraform-examples", "aws-samples/aws-sam-terraform-examples"]
+  #       project: []
+
+  #   steps:
+  #     - name: "Checkout"
+  #       uses: actions/checkout@v5
+  #       with:
+  #         submodules: true
+
+  #     - name: "Checkout"
+  #       uses: actions/checkout@v5
+  #       with:
+  #         repository: ${{ matrix.project }}
+  #         path: project
+
+  #     - name: "Check for changes"
+  #       uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+  #       id: extractor-changes
+  #       with:
+  #         filters: |
+  #           src:
+  #             - 'extractor/**'
+  #             - 'rust-toolchain.toml'
+  #             - 'Cargo.*'
+
+  #     - name: "Download Extracter"
+  #       if: steps.extractor-changes.outputs.src == 'false'
+  #       env:
+  #         GH_TOKEN: ${{ github.token }}
+  #       run: |
+  #         set -e
+  #         gh release list -L 1 -R "advanced-security/codeql-extractor-iac"
+
+  #         gh release download \
+  #             -R "advanced-security/codeql-extractor-iac" \
+  #             --clobber \
+  #             --pattern 'extractor-iac.tar.gz'
+
+  #         tar -zxf extractor-iac.tar.gz
+
+  #     - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable
+  #       if: steps.extractor-changes.outputs.src == 'true'
+
+  #     - name: "Build Extractor"
+  #       if: steps.extractor-changes.outputs.src == 'true'
+  #       env:
+  #         GH_TOKEN: ${{ github.token }}
+  #       run: |
+  #         set -e
+  #         gh extensions install github/gh-codeql
+  #         gh codeql set-version latest
+
+  #         ./scripts/create-extractor-pack.sh
+
+  #         gh codeql resolve languages --format=json --search-path ./extractor-pack
+
+  #     - name: "Run CodeQL Analysis"
+  #       env:
+  #         GH_TOKEN: ${{ github.token }}
+  #         PROJECT_REPO: ${{ matrix.project }}
+  #       run: |
+  #         set -e
+  #         gh extensions install github/gh-codeql
+  #         gh codeql set-version latest
+
+  #         gh codeql database create --language=iac --source-root=./project --search-path ./extractor-pack iac-db
+
+  #         gh codeql database analyze --search-path ./extractor-pack --format sarif-latest --output="iac-${PROJECT_REPO}.sarif" iac-db ./ql/src
 
 
   docs:

.github/workflows/copilot-setup-steps.yml

@@ -0,0 +1,57 @@
+---
+name: "Copilot Setup Steps"
+
+# Automatically run the setup steps when they are changed to allow for
+# easy validation, and manual testing through the repository's Actions tab
+on:
+  workflow_dispatch: {}
+  push:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+  pull_request:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+
+jobs:
+  # The job MUST be called `copilot-setup-steps` or it will not be picked up
+  # by Copilot.
+  copilot-setup-steps:
+    runs-on: ubuntu-latest
+
+    # Set the permissions to the lowest permissions possible needed for your
+    # steps. Copilot will be given its own token for its operations.
+    permissions:
+      # If you want to clone the repository as part of your setup steps, for
+      # example to install dependencies, you'll need the `contents: read`
+      # permission. If you don't clone the repository in your setup steps,
+      # Copilot will do this for you automatically after the steps complete.
+      contents: read
+
+    # You can define any steps you want, and they will run before the agent
+    # starts. If you do not check out your code, Copilot will do this for you.
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+        with:
+          submodules: true
+
+      - name: Install GitHub CLI CodeQL extension
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          # Install GitHub CLI (should already be available in ubuntu-latest)
+          gh --version
+
+          # Install CodeQL CLI extension
+          gh extension install github/gh-codeql
+
+          # Set CodeQL to latest version
+          gh codeql set-version latest
+
+          # Verify the extension is installed and working
+          gh codeql version
+
+          # Install packs
+          (cd ./ql/src/ && gh codeql pack install)
+          (cd ./ql/lib/ && gh codeql pack install)
+          (cd ./ql/test/ && gh codeql pack install)

.github/workflows/coverage.yml

@@ -22,7 +22,7 @@ jobs:
           ./scripts/create-coverage.py report --markdown > $GITHUB_STEP_SUMMARY
 
       - name: "Upload Coverage Report"
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: coverage-report
           path: coverage.csv