CodeQL Scanner

CodeQL SAST Scanner - Reusable Workflow

THIN WRAPPER: This workflow delegates to the scanner-codeql composite action. All scanning logic is in: .github/actions/scanner-codeql/action.yml

Note: This workflow retains the language auto-detection and matrix generation since the composite action handles one language at a time.

For GHES users: Use the composite action directly with a matrix strategy. See: examples/github-enterprise/sast-only.yml

uses: huntridge-labs/argus/.github/workflows/scanner-codeql.yml@0.6.7

Pipeline

2 jobs (1 matrix) · scroll to zoom · drag to pan

Triggers

Manual dispatch
Reusable (called by other workflows)

Permissions

Scope	Access
`contents`	`read`
`security-events`	`write`
`actions`	`read`
`pull-requests`	`write`

Inputs

Input	Description	Required	Default
`config_file`	Path to CodeQL config file. Leave empty to auto-detect project config or use defaults. string	No	`—`
`post_pr_comment`	Whether to post PR comments boolean	No	`True`
`enable_code_security`	Whether GitHub Code Security is enabled for this repository boolean	No	`False`
`fail_on_severity`	Fail the job if vulnerabilities at or above this severity are found. Options: none, low, medium, high, critical. Set ... string	No	`none`
`setup_python_version`	Python version to set up (only used when language is python) string	No	`3.12`
`setup_node_version`	Node.js version to set up (only used when language is javascript) string	No	`22`

CodeQL Options

Input	Description	Required	Default
`codeql_languages`	Comma-separated list of languages for CodeQL analysis (e.g., "python,javascript"). Leave empty for auto-detection. string	No	`—`

Jobs

`generate-codeql-matrix` — Generate CodeQL Matrix

Runs on: ubuntu-latest

Steps:

Checkout for language detection — actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
Generate matrix

`codeql-analysis` — CodeQL Analysis

Runs on: ubuntu-latest · Timeout: 45 minutes · Depends on: generate-codeql-matrix · Continue on error: Yes · Condition: github.actor != 'nektos/act'