Merge branch 'main' into tf/azure-storage-account

Author: GeekMasher

.all-contributorsrc

@@ -56,6 +56,15 @@
         "design",
         "ideas"
       ]
+    },
+    {
+      "login": "ViktorLindstrm",
+      "name": "Viktor Lindström",
+      "avatar_url": "https://avatars.githubusercontent.com/u/3715582?v=4",
+      "profile": "https://github.com/ViktorLindstrm",
+      "contributions": [
+        "code"
+      ]
     }
   ]
-}
+}

.github/CODEOWNERS

@@ -1,3 +1,3 @@
-# This project is maintained with love by:
+# This project is maintained with love by
 
-- @geekmasher
+- @advanced-security/oss-maintainers

.github/action/dist/index.js

@@ -13530,7 +13530,7 @@ const toolcache = __importStar(__nccwpck_require__(7784));
 const github = __importStar(__nccwpck_require__(5438));
 const toolrunner = __importStar(__nccwpck_require__(8159));
 exports.EXTRACTOR_REPOSITORY = "advanced-security/codeql-extractor-iac";
-exports.EXTRACTOR_VERSION = "v0.4.0"; // stable version
+exports.EXTRACTOR_VERSION = "v0.4.1"; // stable version
 async function newCodeQL() {
     var version = core.getInput("extractor-version");
     if (version === "") {

.github/action/package-lock.json

@@ -36,7 +36,7 @@
   "dependencies": {
     "@actions/core": "^1.10.1",
     "@actions/exec": "^1.1.1",
-    "@actions/github": "^5.1.1",
+    "@actions/github": "^6.0.0",
     "@actions/tool-cache": "^2.0.1"
   },
   "devDependencies": {

.github/action/package.json

@@ -7,7 +7,7 @@ import * as github from "@actions/github";
 import * as toolrunner from "@actions/exec/lib/toolrunner";
 
 export const EXTRACTOR_REPOSITORY = "advanced-security/codeql-extractor-iac";
-export const EXTRACTOR_VERSION = "v0.4.0"; // stable version
+export const EXTRACTOR_VERSION = "v0.5.0"; // stable version
 
 export interface CodeQLConfig {
   // The path to the codeql bundle.

.github/action/src/codeql.ts

@@ -5,19 +5,38 @@
 
 version: 2
 updates:
-  - package-ecosystem: "cargo"
+  - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
     reviewers:
-      - "geekmasher"
+      - "advanced-security/oss-maintainers"
+    target-branch: "main"
+    commit-message:
+      prefix: deps
+      prefix-development: chore
+    labels:
+      - "Dependencies"
     groups:
-      extractor:
+      production-dependencies:
         dependency-type: "production"
+      development-dependencies:
+        dependency-type: "development"
 
-  - package-ecosystem: "github-actions"
+  - package-ecosystem: "cargo"
     directory: "/"
     schedule:
       interval: "weekly"
     reviewers:
-      - "geekmasher"
+      - "advanced-security/oss-maintainers"
+    target-branch: "main"
+    commit-message:
+      prefix: deps
+      prefix-development: chore
+    labels:
+      - "Dependencies"
+    groups:
+      production-dependencies:
+        dependency-type: "production"
+      development-dependencies:
+        dependency-type: "development"

.github/dependabot.yml

@@ -18,10 +18,12 @@ jobs:
         test-folders: ["library-tests", "queries-tests"]
     steps:
       - name: "Checkout"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
+        with:
+          submodules: true
 
       - name: "Check for changes"
-        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
         id: extractor-changes
         with:
           filters: |
@@ -35,6 +37,7 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
+          set -e
           gh release list -L 1 -R "advanced-security/codeql-extractor-iac"
 
           gh release download \
@@ -44,14 +47,18 @@ jobs:
 
           tar -zxf extractor-iac.tar.gz
 
-      - uses: dtolnay/rust-toolchain@nightly
+          chmod +x extractor-pack/tools/*.sh
+          chmod +x extractor-pack/tools/**/*          
+
+      - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable
         if: steps.extractor-changes.outputs.src == 'true'
 
       - name: "Build Extractor"
         if: steps.extractor-changes.outputs.src == 'true'
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
+          set -e
           gh extensions install github/gh-codeql
           gh codeql set-version latest
 
@@ -65,11 +72,87 @@ jobs:
         run: |
           ./scripts/run-tests.sh "ql/test/${{ matrix.test-folders }}"
 
+  # scanning:
+  #   runs-on: ubuntu-latest
+  #   needs: [tests]
+
+  #   strategy:
+  #     matrix:
+  #       # project: ["hashicorp/terraform-guides", "akamai/terraform-examples", "aws-samples/aws-sam-terraform-examples"]
+  #       project: []
+
+  #   steps:
+  #     - name: "Checkout"
+  #       uses: actions/checkout@v5
+  #       with:
+  #         submodules: true
+
+  #     - name: "Checkout"
+  #       uses: actions/checkout@v5
+  #       with:
+  #         repository: ${{ matrix.project }}
+  #         path: project
+
+  #     - name: "Check for changes"
+  #       uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+  #       id: extractor-changes
+  #       with:
+  #         filters: |
+  #           src:
+  #             - 'extractor/**'
+  #             - 'rust-toolchain.toml'
+  #             - 'Cargo.*'
+
+  #     - name: "Download Extracter"
+  #       if: steps.extractor-changes.outputs.src == 'false'
+  #       env:
+  #         GH_TOKEN: ${{ github.token }}
+  #       run: |
+  #         set -e
+  #         gh release list -L 1 -R "advanced-security/codeql-extractor-iac"
+
+  #         gh release download \
+  #             -R "advanced-security/codeql-extractor-iac" \
+  #             --clobber \
+  #             --pattern 'extractor-iac.tar.gz'
+
+  #         tar -zxf extractor-iac.tar.gz
+
+  #     - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable
+  #       if: steps.extractor-changes.outputs.src == 'true'
+
+  #     - name: "Build Extractor"
+  #       if: steps.extractor-changes.outputs.src == 'true'
+  #       env:
+  #         GH_TOKEN: ${{ github.token }}
+  #       run: |
+  #         set -e
+  #         gh extensions install github/gh-codeql
+  #         gh codeql set-version latest
+
+  #         ./scripts/create-extractor-pack.sh
+
+  #         gh codeql resolve languages --format=json --search-path ./extractor-pack
+
+  #     - name: "Run CodeQL Analysis"
+  #       env:
+  #         GH_TOKEN: ${{ github.token }}
+  #         PROJECT_REPO: ${{ matrix.project }}
+  #       run: |
+  #         set -e
+  #         gh extensions install github/gh-codeql
+  #         gh codeql set-version latest
+
+  #         gh codeql database create --language=iac --source-root=./project --search-path ./extractor-pack iac-db
+
+  #         gh codeql database analyze --search-path ./extractor-pack --format sarif-latest --output="iac-${PROJECT_REPO}.sarif" iac-db ./ql/src
+
+
   docs:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36
+      - uses: actions/checkout@v5
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
         id: changes
         with:
           filters: |
@@ -81,21 +164,3 @@ jobs:
         run: |
           npm install -g markdownlint-cli
           markdownlint '**.md' --ignore node_modules --disable MD013
-
-  action:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36
-        id: changes
-        with:
-          filters: |
-            src:
-              - '.github/action/**'
-              - 'action.yml'
-
-      - name: Run action
-        if: steps.changes.outputs.src == 'true'
-        uses: ./
-        with:
-          extractor-version: latest

.github/workflows/build.yml

@@ -0,0 +1,57 @@
+---
+name: "Copilot Setup Steps"
+
+# Automatically run the setup steps when they are changed to allow for
+# easy validation, and manual testing through the repository's Actions tab
+on:
+  workflow_dispatch: {}
+  push:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+  pull_request:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+
+jobs:
+  # The job MUST be called `copilot-setup-steps` or it will not be picked up
+  # by Copilot.
+  copilot-setup-steps:
+    runs-on: ubuntu-latest
+
+    # Set the permissions to the lowest permissions possible needed for your
+    # steps. Copilot will be given its own token for its operations.
+    permissions:
+      # If you want to clone the repository as part of your setup steps, for
+      # example to install dependencies, you'll need the `contents: read`
+      # permission. If you don't clone the repository in your setup steps,
+      # Copilot will do this for you automatically after the steps complete.
+      contents: read
+
+    # You can define any steps you want, and they will run before the agent
+    # starts. If you do not check out your code, Copilot will do this for you.
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          submodules: true
+
+      - name: Install GitHub CLI CodeQL extension
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          # Install GitHub CLI (should already be available in ubuntu-latest)
+          gh --version
+
+          # Install CodeQL CLI extension
+          gh extension install github/gh-codeql
+
+          # Set CodeQL to latest version
+          gh codeql set-version latest
+
+          # Verify the extension is installed and working
+          gh codeql version
+
+          # Install packs
+          (cd ./ql/src/ && gh codeql pack install)
+          (cd ./ql/lib/ && gh codeql pack install)
+          (cd ./ql/test/ && gh codeql pack install)

.github/workflows/copilot-setup-steps.yml

@@ -8,9 +8,12 @@ on:
 jobs:
   coverage:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: "Run Coverage Report"
         if: github.ref == 'refs/heads/main'