name: CodeQL SAST on: push: branches: [main] pull_request: branches: [main] permissions: contents: read concurrency: group: codeql-${{ github.ref }}-${{ github.event.pull_request.number || github.sha }} cancel-in-progress: true jobs: analyze: runs-on: ubuntu-latest # CodeQL needs security-events: write to upload results; scoped to this job so # the workflow's top-level token stays read-only (Scorecard TokenPermissions). permissions: security-events: write actions: read contents: read steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install build dependencies run: sudo apt-get update && sudo apt-get install -y zlib1g-dev - name: Initialize CodeQL uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 with: languages: c-cpp build-mode: manual - name: Build for CodeQL analysis run: scripts/build.sh - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 with: category: "/language:c-cpp"