Skip to content

ci: add CodeQL workflow for C/C++ analysis (#243)#315

Merged
1a1a11a merged 2 commits into
1a1a11a:developfrom
IsseiHasegawa:feature/codeql
May 1, 2026
Merged

ci: add CodeQL workflow for C/C++ analysis (#243)#315
1a1a11a merged 2 commits into
1a1a11a:developfrom
IsseiHasegawa:feature/codeql

Conversation

@IsseiHasegawa
Copy link
Copy Markdown
Contributor

@IsseiHasegawa IsseiHasegawa commented Apr 30, 2026

What

Add a GitHub Actions workflow for CodeQL static analysis at .github/workflows/codeql-analysis.yml.

Why

Issue #243 requests enabling SAST with CodeQL so results are visible in the Security tab and in PR checks.

Changes

  • Add CodeQL workflow triggered on:
    • push
    • pull_request
  • Configure CodeQL language as cpp (covers C/C++).
  • Set required permissions for SARIF upload:
    • contents: read
    • security-events: write
  • Exclude non-core path from scanning:
    • libCacheSim-node
  • Use manual build mode for better reliability with this CMake/Ninja project:
    • install deps via scripts/install_dependency.sh
    • cmake -G Ninja -B build -DCMAKE_BUILD_TYPE=Release
    • ninja -C build
  • Keep workflow minimal with concurrency control to avoid duplicate in-flight runs.

Validation

  • Confirm workflow is detected in Actions.
  • Confirm CodeQL check appears on PR.
  • Confirm code scanning results are uploaded to the Security tab.

Closes #243

@gemini-code-assist
Copy link
Copy Markdown
Contributor

gemini-code-assist Bot commented Apr 30, 2026

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@1a1a11a 1a1a11a requested a review from Copilot May 1, 2026 02:10
Copilot AI reviewed May 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a GitHub Actions CodeQL workflow to run C/C++ static analysis for this CMake/Ninja-based project so results appear in GitHub’s Security tab and as PR checks (per issue #243).

Changes:

  • Introduces .github/workflows/codeql-analysis.yml to run CodeQL on push and pull_request.
  • Uses CodeQL manual build mode with the repo’s dependency install script plus CMake+Ninja build steps.
  • Adds concurrency control and ignores scanning libCacheSim-node.

@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented May 1, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@1a1a11a 1a1a11a merged commit f2f8b79 into 1a1a11a:develop May 1, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@haochengxia haochengxia Awaiting requested review from haochengxia haochengxia is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[FEATURE]: add codeQL as SAST

4 participants

@IsseiHasegawa @github-advanced-security @1a1a11a