Customize CodeQL Scans With `config-file
Customize CodeQL Scans with config-file in codeql_init_and_analyze
Ever wished you could fine-tune CodeQL scans in your GitHub Actions workflows? Well, now you can! Let's dive into how to add an optional config-file input to the codeql_init_and_analyze composite action.
The Current State
The codeql_init_and_analyze action, as it stands, doesn't accept a config-file input. This means you can't pass a custom CodeQL configuration file to github/codeql-action/init@v4, even though it's the standard way to specify paths and paths to ignore.
Why We Need This
Repositories, like npm-web-sampler, have many hidden folders that need fine-grained control over which paths CodeQL scans. A codeql-config.yml file is perfect for this, but it can only take effect if the config-file parameter is forwarded to codeql-action/init.
The Proposed Change
We're proposing to add an optional config-file input to the composite action and forward it to the init step. Here's how the new inputs section would look:
inputs:
language:
description: The programming language to analyze
required: true
config-file:
description: Path to a CodeQL config file (relative to the repository root)
required: false
runs:
using: composite
steps:
- name: "codeql: init"
uses: github/codeql-action/init@v4
with:
languages: ${{ inputs.language }}
config-file: ${{ inputs.config-file }}
How to Use It
Using the new config-file input is a breeze. Here's an example:
- uses: percebus/github-actions-compliance/.github/actions/codeql_init_and_analyze@main
with:
language: ${{ matrix.language }}
config-file: ./.github/codeql/codeql-config.yml
