Code Scanning workflows are usually owned and managed by developer teams, but larger organizations often prefer a model where a central security team is in control of the configuration of the analysis
This repo contains:
- a centralized reusable workflow owned by the security team
- a centralized CodeQL configuration file
- a standardized CodeQL workflow that is pushed to all the interested repos and allows for a few parameter (e.g. language exclusion)
Repository-specific customiziations are possible adding a local build action in .github/actions/custom_build/action.yml
and CodeQL configuration in .github/codeql/codeql-config.yml
.
Customization changes can be controlled using the CODEOWNERS
file.
Examples:
- https://github.com/mbaluda-org/dev_team_default/actions
- https://github.com/mbaluda-org/WebGoat_custom_build/actions
- Push the workflow file to every repo which is part of the roll-out (e.g. mbaluda-org/dev_team_default)
- [OPTIONAL] Add the workflow file to
CODEOWNERS
(e.g. mbaluda-org/dev_team_default)
- Customize the repo-specific build creating a local action named
custom_build
(e.g. mbaluda-org/WebGoat_custom_build) - Customize the repo-specific CodeQL config in
.github/codeql/codeql-config.yml
(e.g. mbaluda-org/WebGoat_custom_build) - The reusable workflow can be diversified in feature branches (e.g. project Lombok support, continue-on-error)
- Add the workflow and the configuration files to
CODEOWNERS
(e.g. mbaluda-org/WebGoat_custom_build)