Setup Code-QL scans (open-eid#1143)

IB-7528

Signed-off-by: Raul Metsma <[email protected]>

Signed-off-by: Raul Metsma <[email protected]>

.github/workflows/build.yml

@@ -261,6 +261,8 @@ jobs:
     name: Run CodeQL tests
     if: github.repository == 'open-eid/DigiDoc4-Client'
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
     - name: Checkout
       uses: actions/checkout@v3
@@ -282,7 +284,23 @@ jobs:
       uses: github/codeql-action/init@v2
       with:
         languages: cpp
+        queries: +security-and-quality
     - name: Autobuild
       uses: github/codeql-action/autobuild@v2
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v2
+      with:
+        upload: False
+        output: sarif-results
+    - name: Filter results
+      uses: advanced-security/filter-sarif@develop
+      with:
+        patterns: |
+          -**/*autogen*/**
+          -**:cpp/poorly-documented-function
+        input: sarif-results/cpp.sarif
+        output: sarif-results/cpp.sarif
+    - name: Upload results
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: sarif-results/cpp.sarif