From 035d2e3acc0775a64046cc2e4a2a7370887725c2 Mon Sep 17 00:00:00 2001
From: nickossdev <138879597+nickossdev@users.noreply.github.com>
Date: Thu, 1 Aug 2024 21:27:27 +0100
Subject: [PATCH] Update codeql.yml

---
 .github/workflows/codeql.yml | 57 ++++++++++++++++++++++++------------
 1 file changed, 39 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index eff3326703..346703e400 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -1,47 +1,68 @@
-name: "CodeQL with Extended Checks and YAML Security Analysis"
+name: "CodeQL Security Scan"
 
 on:
   push:
     branches: [ "main" ]
   pull_request:
     branches: [ "main" ]
-
 jobs:
   analyze:
-    name: Analyze Python Code and YAML Files
+    name: Analyze
     runs-on: ubuntu-latest
     permissions:
+      actions: read
+      contents: read
       security-events: write
 
     strategy:
       fail-fast: false
       matrix:
-        include:
-        - language: python
-          build-mode: none
+        language: [ 'python', 'javascript' ]  # 'javascript' will analyze YAML files
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
 
-    # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
-        queries: +security-extended,security-and-quality
+        queries: +security-and-quality,+security-extended
 
-    - name: Perform CodeQL Analysis on Python Code
-      uses: github/codeql-action/analyze@v3
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
       with:
         category: "/language:${{matrix.language}}"
 
-    - name: Initialize CodeQL for YAML
-      uses: github/codeql-action/init@v3
+  analyze-actions:
+    name: Analyze GitHub Actions
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    - name: Run yaml-lint
+      uses: ibiqlik/action-yamllint@v3
+      with:
+        file_or_dir: .github/workflows
+        config_file: .yamllint.yml
+
+    - name: Run Trivy vulnerability scanner in IaC mode
+      uses: aquasecurity/trivy-action@master
       with:
-        languages: yaml
+        scan-type: 'config'
+        hide-progress: false
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        severity: 'CRITICAL,HIGH'
 
-    - name: Perform CodeQL Analysis on YAML Files
-      uses: github/codeql-action/analyze@v3
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v2
+      if: always()
       with:
-        category: "/language:yaml"
+        sarif_file: 'trivy-results.sarif'