From cdaae409c98fe54b58d6d35dba9c990929d8145a Mon Sep 17 00:00:00 2001 From: Mike Jensen Date: Wed, 16 Oct 2024 13:58:40 -0600 Subject: [PATCH] chore(ci): Add initial CodeQL workflow configuration (#405) I want to explore using CodeQL to assist as part of our static analysis strategy. Because this tool is available for free to open source projects, `opentdf` is a good place to start this testing. This PR adds an initial configuration which will scan the codebase once a week. These results can be ignored for the time being. Instead the security team will review the results and make sure we tune away any noise first (or help in opening PR's to address any valid issues found). --- .github/workflows/codeql.yaml | 48 +++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/workflows/codeql.yaml diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml new file mode 100644 index 00000000..9e91c175 --- /dev/null +++ b/.github/workflows/codeql.yaml @@ -0,0 +1,48 @@ +name: "CodeQL" + +on: + schedule: + - cron: '0 13 * * 1' # At 1:00 PM UTC every Monday + pull_request: + paths: + - '.github/workflows/codeql.yaml' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'go' ] + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: go.mod + if: ${{ matrix.language == 'go' }} + + - name: Initialize the CodeQL tools for scanning + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + timeout-minutes: 5 + + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + timeout-minutes: 10 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" + timeout-minutes: 10