我正试图在我的repo上配置CodeQL扫描。为此,我使用GitHub提供的模板:
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: CodeQL
run-name: CodeQL
env:
virtualMachine: ubuntu-latest
on:
push:
branches:
- master
- development
- release/*
pull_request:
# The branches below must be a subset of the branches above
branches:
- master
- development
schedule:
- cron: '0 9 * * *'
jobs:
analyze:
name: Analyze
runs-on: ${{ env.virtualMachine }}
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language:
- csharp
- javascript
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
# Use only 'java' to analyze code written in Java, Kotlin or both
# Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
steps:
- name: Checkout repository
uses: actions/checkout@v3
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v2
# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
# If the Autobuild fails above, remove it and uncomment the following three lines.
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
# - run: |
# echo "Run, Build Application using script"
# ./location_of_script_within_repo/buildscript.sh
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{matrix.language}}"
当我试图在我的机器上使用nektos/act本地运行它时,我得到以下错误:
[CodeQL/analysis -1]🚀Start image=catthehacker/ubuntu:full-latest
[CodeQL/analysis -1]🐳docker pull image=catthehacker/ubuntu:full-latest platform= username=*** forcePull=true
[CodeQL/analysis -1]🐳docker create image=catthehacker/ubuntu:full-latest platform= entrypoint=["tail";"-f"/dev/null"] cmd=[]
[CodeQL/analysis -1]🐳docker run image=catthehacker/ubuntu:full-latest platform= entrypoint=["tail";"-f"/dev/null"] cmd=[]
[CodeQL/Analyze-1]事务性git克隆'https://github.com/github/codeql-action' # ref=v2
[CodeQL/Analyze-1]事务性git克隆'https://github.com/github/codeql-action' # ref=v2
[CodeQL/Analyze-1]事务性git克隆'https://github.com/github/codeql-action' # ref=v2
[CodeQL/Analyze-1]🧪矩阵:map[language:csharp]
[CodeQL/analysis -1]⭐运行主Checkout库
[CodeQL/analysis -1]🐳docker cp src=C:Usersezequiel.de-lucaNoBackUpCobaniRepos Cobani -content。dst=/mnt/c/Users/ezequiel.de-luca/NoBackUp/Cobani/Repos/Cobani -content
[CodeQL/analysis -1]✅Success - Main Checkout repository
[CodeQL/analysis -1]⭐Run Main Initialize CodeQL
[CodeQL/analysis -1]🐳docker cp src= c:Usersezequiel.de-luca.cacheact/github-codeql-action-init@v2/dst=/var/Run/act/actions/github-codeql-action-init@v2/
[CodeQL/analysis -1]🐳docker exec cmd=[node/var/Run/action/github-codeql-action-init@v2/lib/init-action.js] user= workdir=
[CodeQL/analysis -1]/>[CodeQL/Analyze-1]❗::error::init action failed: Not Found
[CodeQL/Analyze-1]❗::error::init action failed: Not Found
[CodeQL/Analyze-1]❌Failure - Main Initialize CodeQL
[CodeQL/Analyze-1]❗::error::init action failed: Not Found
[CodeQL/Analyze-1]failure
[CodeQL/analysis -1]⭐Run Post Initialize CodeQL
[CodeQL/analysis -1]🐳docker exec cmd=[node/var/Run/act/actions/github-codeql-action-init@v2/lib/init- Action - Post .js] user= workdir=
[CodeQL/analysis -1]🚧::warning::调试工件不可用,因为'init'动作在产生任何工件之前失败了。
[CodeQL/analysis -1]✅Success - Post Initialize CodeQL
| (node:36) UnhandledPromiseRejectionWarning: HttpError: Not Found
| at/run/act/actions/github-codeql-action-init@v2/node_modules/@octokit/request/dist-node/index.js:66:23
| at processTicksAndRejections (internal/process/task_queues.js:95:5)
| at async Job。doExecute (/run/act/actions/github-codeql-action-init@v2/node_modules/bottleneck/light.js:405:18)
|(使用node --trace-warnings ...显示警告创建的位置)
| (node:36) UnhandledPromiseRejectionWarning:未处理的承诺拒绝。这个错误要么是由于在没有catch块的异步函数内部抛出,要么是由于拒绝了没有使用.catch()处理的承诺。要在未处理的承诺拒绝时终止节点进程,请使用CLI标志--unhandled-rejections=strict(参见https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode)。(rejection id: 2)
| (node:36) [DEP0018] DeprecationWarning:未处理的承诺拒绝被弃用。将来,未处理的承诺拒绝将以非零退出码终止Node.js进程。
[CodeQL/analysis -1]🏁Job failed
错误:Job 'Analyze' failed
我的理解是它没有在repo中找到github/codeql-action/init动作,但我在
期间没有看到任何错误[CodeQL/analysis -1] = git clone 'https://github.com/github/codeql-action' # ref=v2
你知道我是否应该配置init不同吗?
根据这个相关的GitHub问题(https://github.com/github/codeql-action/issues/967)'s comment:
…codeql-action不会通过
act作为本地动作工作。失败是因为工作流正在发出请求以确定其run_id是什么,并且由于该请求正在通过act运行,因此没有运行工作流。
我尝试了这个关于通过GITHUB_RUN_ID与最近的工作流运行ID的建议:
act -s GITHUB_TOKEN=[PAT] --env GITHUB_RUN_ID=[RECENT_RUN_ID]
但这对我不起作用。