--- /dev/null
+## @file\r
+# CodeQL configuration file for edk2.\r
+#\r
+# Copyright (c) Microsoft Corporation.\r
+# SPDX-License-Identifier: BSD-2-Clause-Patent\r
+##\r
+\r
+name: "CodeQL config"\r
+\r
+# The following line disables the default queries. This is used because we want to enable on query at a time by\r
+# explicitly specifying each query in a "queries" array as they are enabled.\r
+#\r
+# See the following for more information about adding custom queries:\r
+# https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-a-custom-configuration-file\r
+\r
+#disable-default-queries: true\r
+\r
+queries:\r
+ - name: EDK2 CodeQL Query List\r
+ uses: ./.github/codeql/edk2.qls\r
+\r
+# We must specify a query for CodeQL to run. Until the first query is enabled, enable the security query suite but\r
+# exclude all problem levels from impacting the results. After the first query is enabled, this filter can be relaxed\r
+# to find the level of problems desired from the query.\r
+query-filters:\r
+- exclude:\r
+ problem.severity:\r
+ - error\r
+ - warning\r
+ - recommendation\r
--- /dev/null
+# @file\r
+# GitHub Workflow for CodeQL Analysis\r
+#\r
+# Copyright (c) Microsoft Corporation.\r
+#\r
+# SPDX-License-Identifier: BSD-2-Clause-Patent\r
+##\r
+\r
+name: "CodeQL"\r
+\r
+on:\r
+ push:\r
+ branches:\r
+ - master\r
+ pull_request:\r
+ branches:\r
+ - master\r
+ paths-ignore:\r
+ - '**/*.bat'\r
+ - '**/*.md'\r
+ - '**/*.py'\r
+ - '**/*.rst'\r
+ - '**/*.sh'\r
+ - '**/*.txt'\r
+\r
+ schedule:\r
+ # https://crontab.guru/#20_23_*_*_4\r
+ - cron: '20 23 * * 4'\r
+\r
+jobs:\r
+ analyze:\r
+ name: Analyze\r
+ runs-on: windows-2019\r
+ permissions:\r
+ actions: read\r
+ contents: read\r
+ security-events: write\r
+\r
+ strategy:\r
+ fail-fast: false\r
+ matrix:\r
+ package: [\r
+ "ArmPkg",\r
+ "CryptoPkg",\r
+ "DynamicTablesPkg",\r
+ "FatPkg",\r
+ "FmpDevicePkg",\r
+ "IntelFsp2Pkg",\r
+ "IntelFsp2WrapperPkg",\r
+ "MdeModulePkg",\r
+ "MdePkg",\r
+ "PcAtChipsetPkg",\r
+ "PrmPkg",\r
+ "SecurityPkg",\r
+ "ShellPkg",\r
+ "SourceLevelDebugPkg",\r
+ "StandaloneMmPkg",\r
+ "UefiCpuPkg",\r
+ "UnitTestFrameworkPkg"]\r
+\r
+ steps:\r
+ - name: Checkout repository\r
+ uses: actions/checkout@v3\r
+\r
+ # Initializes the CodeQL tools for scanning.\r
+ - name: Initialize CodeQL\r
+ uses: github/codeql-action/init@v2\r
+ with:\r
+ languages: 'cpp'\r
+ # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]\r
+ # Learn more about CodeQL language support at https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/\r
+ config-file: ./.github/codeql/codeql-config.yml\r
+ # Note: Add new queries to codeql-config.yml file as they are enabled.\r
+\r
+ - name: Install/Upgrade pip Modules\r
+ run: pip install -r pip-requirements.txt --upgrade\r
+\r
+ - name: Setup\r
+ run: stuart_setup -c .pytool/CISettings.py -t DEBUG -a IA32,X64 TOOL_CHAIN_TAG=VS2019\r
+\r
+ - name: Update\r
+ run: stuart_update -c .pytool/CISettings.py -t DEBUG -a IA32,X64 TOOL_CHAIN_TAG=VS2019\r
+\r
+ - name: Build Tools From Source\r
+ run: python BaseTools/Edk2ToolsBuild.py -t VS2019\r
+\r
+ - name: CI Build\r
+ run: stuart_ci_build -c .pytool/CISettings.py -p ${{ matrix.package }} -t DEBUG -a IA32,X64 TOOL_CHAIN_TAG=VS2019\r
+\r
+ - name: Perform CodeQL Analysis\r
+ uses: github/codeql-action/analyze@v2\r