Enable code/dependency scanning (#323)

Signed-off-by: omrishiv <[email protected]>
cnoe-io · Jun 21, 2024 · a4d6883 · a4d6883
1 parent 474821d
commit a4d6883
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/.github/workflows/code-scanner.yaml b/.github/workflows/code-scanner.yaml
@@ -0,0 +1,32 @@
+name: code-scanner
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main" ]
+    types: [opened, ready_for_review, synchronize]
+
+permissions:
+  contents: write
+  security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+
+jobs:
+  code-analysis:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - run: ls -al
+      - name: Scan current project
+        id: scan
+        uses: anchore/scan-action@v3
+        with:
+          fail-build: false
+          path: "."
+
+      - name: Upload scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}