mcp-wordpress/.github/workflows/codeql-analysis.yml at main · docdyhr/mcp-wordpress · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
name: 🔒 CodeQL Security Analysis

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main, develop]
  schedule:
    # Run CodeQL analysis daily at 3 AM UTC for comprehensive coverage
    - cron: "0 3 * * *"
  workflow_dispatch:

permissions:
  actions: read
  contents: read
  security-events: write
  packages: read

env:
  NODE_VERSION: "22"

jobs:
  codeql-analyze:
    name: 🔍 CodeQL Analysis
    runs-on: ubuntu-latest
    timeout-minutes: 30

    strategy:
      fail-fast: false
      matrix:
        # Use javascript-typescript for comprehensive coverage
        language: ["javascript-typescript"]
        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support

    steps:
      - name: 📥 Checkout Code
        uses: actions/checkout@v6

      - name: 📦 Setup Node.js
        uses: actions/setup-node@v6
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: "npm"

      - name: 📦 Install Dependencies
        run: npm ci
        env:
          HUSKY: 0

      - name: 🏗️ Build Project
        run: npm run build
        env:
          HUSKY: 0

      # Initializes the CodeQL tools for scanning.
      - name: 🔧 Initialize CodeQL
        uses: github/codeql-action/init@v4
        with:
          languages: ${{ matrix.language }}
          # Use comprehensive security queries
          queries: +security-extended,security-and-quality
          config: |
            name: "Enhanced CodeQL Config"
            queries:
              - uses: security-and-quality
              - uses: security-extended
            paths-ignore:
              - node_modules
              - dist
              - coverage
              - docs
              - .github
              - tests/**/*.test.js
              - "**/*.min.js"
            paths:
              - src
              - "*.js"
              - "*.ts"

      # Autobuild attempts to build any compiled languages
      - name: 🤖 Autobuild
        uses: github/codeql-action/autobuild@v4

      - name: 🔍 Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v4
        with:
          category: "/language:${{matrix.language}}"
          # Upload results to GitHub Security tab
          upload: true
          # Don't fail the workflow if vulnerabilities are found
          fail-on: error
          # Wait for processing to complete
          wait-for-processing: true

      - name: 📊 Security Analysis Summary
        if: always()
        run: |
          echo "## 🔒 CodeQL Security Analysis Completed" >> $GITHUB_STEP_SUMMARY
          echo "**Language:** ${{ matrix.language }}" >> $GITHUB_STEP_SUMMARY
          echo "**Status:** Analysis completed and uploaded to GitHub Security tab" >> $GITHUB_STEP_SUMMARY
          echo "**Next Steps:** Review any security findings in the Security tab" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "### 📋 Analysis Details" >> $GITHUB_STEP_SUMMARY
          echo "- **Queries Used:** Security Extended + Security and Quality" >> $GITHUB_STEP_SUMMARY
          echo "- **Paths Analyzed:** src/, *.js, *.ts" >> $GITHUB_STEP_SUMMARY
          echo "- **Paths Ignored:** node_modules, dist, coverage, docs, tests" >> $GITHUB_STEP_SUMMARY
          echo "- **Upload Status:** Results uploaded to GitHub Security tab" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "Check the Security tab for detailed results." >> $GITHUB_STEP_SUMMARY

  # Security recommendations job
  security-recommendations:
    name: 📋 Security Recommendations
    runs-on: ubuntu-latest
    needs: codeql-analyze
    if: always()
    steps:
      - name: 📥 Checkout Code
        uses: actions/checkout@v6

      - name: 🔍 Generate Security Recommendations
        run: |
          echo "## 🛡️ Security Recommendations" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "### 🔒 CodeQL Analysis" >> $GITHUB_STEP_SUMMARY
          echo "- ✅ Static analysis completed for JavaScript/TypeScript" >> $GITHUB_STEP_SUMMARY
          echo "- 📊 Results available in GitHub Security tab" >> $GITHUB_STEP_SUMMARY
          echo "- 🔍 Enhanced security queries applied" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "### 📝 Next Steps" >> $GITHUB_STEP_SUMMARY
          echo "1. Review security findings in the Security tab" >> $GITHUB_STEP_SUMMARY
          echo "2. Address any high-severity vulnerabilities" >> $GITHUB_STEP_SUMMARY
          echo "3. Consider implementing suggested code improvements" >> $GITHUB_STEP_SUMMARY
          echo "4. Update dependencies if vulnerabilities are found" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "### 🔗 Resources" >> $GITHUB_STEP_SUMMARY
          echo "- [CodeQL Documentation](https://codeql.github.com/docs/)" >> $GITHUB_STEP_SUMMARY
          echo "- [Security Best Practices](https://docs.github.com/en/code-security)" >> $GITHUB_STEP_SUMMARY
          echo "- [GitHub Security Advisories](https://github.com/advisories)" >> $GITHUB_STEP_SUMMARY