Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CodeQL Scan #4078

Open
wants to merge 13 commits into
base: main
Choose a base branch
from
Open

Add CodeQL Scan #4078

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
1623290
Add CodeQL Scan
BramVWS Feb 7, 2025
7836720
fix end-of-fiel error with pre-commit
BramVWS Feb 7, 2025
eee73d3
Add actions workflow scan https://github.blog/changelog/2024-12-17-fi…
BramVWS Feb 7, 2025
b96333f
fix Unpinned tag for a non-immutable Action in workflow in codeql
BramVWS Feb 12, 2025
af09104
Fix most of Workflow does not contain permissions
BramVWS Feb 19, 2025
215a438
Add documentation
BramVWS Feb 19, 2025
79e62a5
Run pre-commit and remove permissions for masscan
BramVWS Feb 19, 2025
7a23b08
Add Sonar minimal permissions
BramVWS Feb 19, 2025
9373db1
Pre-Commit + Sonar permission
BramVWS Feb 19, 2025
6ad2fa5
Remove CodeQL permission allow SonarCloud to write security events
BramVWS Feb 19, 2025
582189a
Implemented review nodes
BramVWS Feb 26, 2025
91aeb60
fix typo in SonarQube
BramVWS Feb 26, 2025
0df4918
Merge branch 'main' into feature/codeql_scanning
underdarknl Feb 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 7 additions & 4 deletions .github/workflows/boefjes_container_image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,17 @@ on:

jobs:
create_container_image:
permissions:
contents: read
packages: write
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Docker meta
id: meta
uses: docker/metadata-action@v5
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
images: |
ghcr.io/${{ github.repository_owner }}/nl-kat-boefjes
Expand All @@ -36,11 +39,11 @@ jobs:
type=ref,event=pr

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
id: buildx

- name: Login to GitHub Container Registry
uses: docker/login-action@v3
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
Expand All @@ -54,7 +57,7 @@ jobs:
cp _version.py boefjes/boefjes/katalogus/version.py

- name: Build container image
uses: docker/build-push-action@v6
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
with:
# We don't use git context because that doesn't process .dockerignore
# https://github.com/docker/cli/issues/2827
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/boefjes_tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ on:

jobs:
Tests:
permissions:
contents: read
strategy:
fail-fast: false
matrix:
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/build-debian-docker-image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ jobs:
uses: actions/checkout@v4

- name: Log in to the Container registry
uses: docker/login-action@v3
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
Expand All @@ -51,7 +51,7 @@ jobs:
type=sha

- name: Build and push Docker image
uses: docker/build-push-action@v6
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
with:
context: ./packaging/${{ matrix.dist }}
push: true
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/build_docs_on_pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ on:

jobs:
build-artifact:
permissions:
contents: read
runs-on: ubuntu-24.04
steps:
- name: Checkout code
Expand Down
11 changes: 7 additions & 4 deletions .github/workflows/bytes_container_image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,14 +17,17 @@ on:

jobs:
create_container_image:
permissions:
contents: read
packages: write
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Docker meta
id: meta
uses: docker/metadata-action@v5
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
images: |
ghcr.io/${{ github.repository_owner }}/nl-kat-bytes
Expand All @@ -34,11 +37,11 @@ jobs:
type=ref,event=pr

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
id: buildx

- name: Login to GitHub Container Registry
uses: docker/login-action@v3
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
Expand All @@ -51,7 +54,7 @@ jobs:
cp _version.py bytes/bytes/version.py

- name: Build container image
uses: docker/build-push-action@v6
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
with:
# We don't use git context because that doesn't process .dockerignore
# https://github.com/docker/cli/issues/2827
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/bytes_tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ on:

jobs:
test:
permissions:
contents: read
strategy:
fail-fast: false
matrix:
Expand Down
46 changes: 46 additions & 0 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
name: "CodeQL OpenKAT"

on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
schedule:
# Weekly on Sunday.
- cron: "30 1 * * 0"

jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ["ubuntu-latest"]
permissions:
# required for all workflows
security-events: write
strategy:
fail-fast: false
matrix:
include:
- language: javascript-typescript
build-mode: none
- language: python
build-mode: none
- language: actions
build-mode: none

steps:
- name: Checkout repository
uses: actions/checkout@v4

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
queries: security-extended # Use security extended, when too many false positives we can switch back to default

# Use the CodeQL tools for analyzing.
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
11 changes: 7 additions & 4 deletions .github/workflows/containerized_boefjes.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@ on:

jobs:
build_containerized_boefjes:
permissions:
contents: read
packages: write
strategy:
matrix:
include:
Expand All @@ -35,7 +38,7 @@ jobs:

- name: Docker meta
id: meta
uses: docker/metadata-action@v5
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
images: |
ghcr.io/${{ github.repository_owner }}/${{ matrix.image }}
Expand All @@ -45,18 +48,18 @@ jobs:
type=ref,event=pr

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
id: buildx

- name: Login to GitHub Container Registry
uses: docker/login-action@v3
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build container image for ${{ matrix.image }}
uses: docker/build-push-action@v6
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
with:
# We don't use git context because that doesn't process .dockerignore
# https://github.com/docker/cli/issues/2827
Expand Down
7 changes: 5 additions & 2 deletions .github/workflows/debian_package.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,12 @@ on:

jobs:
changes:
permissions: {}
runs-on: ubuntu-24.04
outputs:
packages: ${{ steps.filter.outputs.changes }}
steps:
- uses: dorny/paths-filter@v3
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
if: github.event_name != 'push'
id: filter
with:
Expand All @@ -42,6 +43,8 @@ jobs:
- '.github/workflows/debian_package.yml'

build:
permissions:
contents: read
needs: changes
if: ${{ github.event_name == 'push' || (needs.changes.outputs.packages != '[]' && needs.changes.outputs.packages != '') }}
strategy:
Expand Down Expand Up @@ -72,7 +75,7 @@ jobs:
cp _version.py rocky/rocky/version.py

- name: Run debian package build
uses: addnab/docker-run-action@v3
uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 # v3
with:
run: packaging/scripts/build-debian-package.sh
registry: ghcr.io
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/masscan_container_image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,11 +31,11 @@ jobs:
uses: actions/checkout@v4

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
id: buildx

- name: Log in to the Container registry
uses: docker/login-action@v3
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
Expand All @@ -55,7 +55,7 @@ jobs:
type=sha

- name: Build and push Docker image
uses: docker/build-push-action@v6
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
with:
context: ./boefjes/images/masscan
push: true
Expand Down
11 changes: 7 additions & 4 deletions .github/workflows/mula_container_image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,14 +17,17 @@ on:

jobs:
create_container_image:
permissions:
contents: read
packages: write
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Docker meta
id: meta
uses: docker/metadata-action@v5
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
images: |
ghcr.io/${{ github.repository_owner }}/nl-kat-mula
Expand All @@ -34,11 +37,11 @@ jobs:
type=ref,event=pr

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
id: buildx

- name: Login to GitHub Container Registry
uses: docker/login-action@v3
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
Expand All @@ -51,7 +54,7 @@ jobs:
cp _version.py mula/scheduler/version.py

- name: Build container image
uses: docker/build-push-action@v6
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
with:
# We don't use git context because that doesn't process .dockerignore
# https://github.com/docker/cli/issues/2827
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/mula_tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ on:

jobs:
test:
permissions:
contents: read
strategy:
fail-fast: false
matrix:
Expand Down
11 changes: 7 additions & 4 deletions .github/workflows/octopoes_container_image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,14 +17,17 @@ on:

jobs:
create_container_image:
permissions:
contents: read
packages: write
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Docker meta
id: meta
uses: docker/metadata-action@v5
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
images: |
ghcr.io/${{ github.repository_owner }}/nl-kat-octopoes
Expand All @@ -34,11 +37,11 @@ jobs:
type=ref,event=pr

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
id: buildx

- name: Login to GitHub Container Registry
uses: docker/login-action@v3
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
Expand All @@ -51,7 +54,7 @@ jobs:
cp _version.py octopoes/octopoes/version.py

- name: Build container image
uses: docker/build-push-action@v6
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
with:
# We don't use git context because that doesn't process .dockerignore
# https://github.com/docker/cli/issues/2827
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/octopoes_rtest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ on:

jobs:
rtest:
permissions:
contents: read
runs-on: ubuntu-24.04

steps:
Expand All @@ -32,7 +34,7 @@ jobs:
working-directory: ./octopoes

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
id: buildx

- name: Run robot tests
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/octopoes_tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ on:

jobs:
test:
permissions:
contents: read
strategy:
fail-fast: false
matrix:
Expand Down
Loading
Loading