How to scan GitHub actions

Question

I am using CodeQL. How do I scan GitHub actions in my repository?

Answer

OIS Software Assurance requires that all GitHub actions present in a repository are scanned.

If you are using the default CodeQL scan, GitHub actions should be scanned automatically.

If you are using the Advanced CodeQL scan or otherwise have a custom CodeQL scanning file, you will have to add the actions language to your scanning script as illustrated below:

  matrix:
    language:
      - java-kotlin
      - javascript-typescript
      - actions

or

  matrix:
    language: ['javascript-typescript', 'python', 'actions']

References

Customizing your advanced setup for code scanning