Internal - Add CodeQL scanning for GitHub Actions workflows#492
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Extends the existing CodeQL code-scanning workflow to also analyze GitHub Actions workflow YAML files (the actions CodeQL language), while avoiding unnecessary Java build steps for the actions scan.
Changes:
- Expand the CodeQL language matrix from
javatojava+actions. - Make JDK/Gradle setup and the Gradle build conditional so they only run for the
javamatrix entry.
xuan-cao-swi
approved these changes
May 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
TLDR
Extends the existing CodeQL security scanning to also analyze GitHub Actions workflow files for vulnerabilities such as script injection and unsafe use of untrusted input.
Details
CodeQL supports an
actionslanguage target that statically analyzes workflow YAML files for security anti-patterns — most notably${{ }}expression injection inrun:blocks, use of mutable tags, and overly broad permissions.The
actionslanguage does not require a build step, so the existing Java build steps (JDK setup, Gradle setup, Gradle build) are now conditional onmatrix.language == 'java'to avoid unnecessary work in the actions analysis job.The language matrix now produces two parallel jobs:
java— compiles the project and runs CodeQL semantic analysis on Java sourceactions— runs CodeQL static analysis on workflow definitions without a buildTest services data