codeql.yml

name: "Code Analysis"

on:
    push:
        branches: [ "master" ]
        paths:
            - '.github/workflows/codeql.yml'
            - 'api/*.py'
    pull_request:
        branches: [ "master" ]

jobs:
    codeql-analysis:
        name: Analyze (${{ matrix.language }})
        runs-on: ubuntu-latest
        permissions:
            actions: read
            contents: read
            security-events: write

        strategy:
            fail-fast: false
            matrix:
                include:
                  - language: python

        steps:
          - name: Checkout repository
            uses: actions/checkout@v4

          - name: Initialize CodeQL
            uses: github/codeql-action/init@v3
            with:
                languages: ${{ matrix.language }}
                queries: +security-extended

          - name: Autobuild
            uses: github/codeql-action/autobuild@v3

          - name: Perform CodeQL Analysis
            uses: github/codeql-action/analyze@v3
            with:
                category: "/language:${{matrix.language}}"

          - name: Upload CodeQL Results
            if: always()
            uses: actions/upload-artifact@v4
            with:
                name: codeql-results
                path: codeql-report.sarif

    pylint:
        name: Pylint
        runs-on: ubuntu-latest
        needs: codeql-analysis
        steps:
          - name: Checkout Code
            uses: actions/checkout@v4

          - name: Set up Python
            uses: actions/setup-python@v5
            with:
                python-version: '3.x'
                cache: "pip"

          - name: Install dependencies
            run: |
                python -m pip install --upgrade pip
                pip install -r requirements.txt

          - name: Pylint Scan & Badge
            uses: Silleellie/pylint-github-action@v2
            with:
                lint-path: api
                python-version: 3.x
                requirements-path: requirements.txt
                readme-path: README.md
                badge-text: PyLint
                color-bad-score: red
                color-ok-score: orange
                color-good-score: yellow
                color-perfect-score: brightgreen

    sast_scan: # Static Application Security Testing
        name: Run Bandit Scan
        runs-on: ubuntu-latest

        steps:
          - name: Checkout code
            uses: actions/checkout@v4

          - name: Set up Python
            uses: actions/setup-python@v5
            with:
                python-version: 3.12

          - name: Install Bandit
            run: pip install bandit

          - name: Run Bandit Scan
            # Ignore Low Severity Issues
            run: bandit -ll -ii -r . -f json -o bandit-report.json

          - name: Upload Bandit Scan Results
            if: always()
            uses: actions/upload-artifact@v4
            with:
                name: bandit-scan-results
                path: bandit-report.json