From f6d5ac3f06d090a4e237c0dee0c19609a54c6b2f Mon Sep 17 00:00:00 2001
From: Daniel Farrell <dfarrell@redhat.com>
Date: Tue, 30 Aug 2022 15:53:31 -0400
Subject: [PATCH] Add CodeQL variant analysis scanning

This is a different type of static analysis than others we run.

It identified new issues (already fixed) that our other tool missed.

The company that built it was bought by GitHub and the tool is being
integrated into GitHub's security workflow.

Add one unprivileged version of the job to gate PRs and one privileged
version on-merge to report results.

Relates-to: submariner-io/submariner#1970
Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
---
 .github/workflows/linting.yml | 18 ++++++++++++++++++
 .github/workflows/report.yml  | 20 ++++++++++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
index f435c1cf1..ce3da6f33 100644
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -105,6 +105,24 @@ jobs:
       - name: Run packagedoc-lint
         run: make packagedoc-lint
 
+  variant-analysis:
+    name: Variant Analysis
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@2ca79b6fa8d3ec278944088b4aa5f46912db5d63
+        with:
+          languages: go
+      - name: Build code, creating CodeQL database
+        run: make build
+      - name: Run CodeQL variant analysis
+        uses: github/codeql-action/analyze@2ca79b6fa8d3ec278944088b4aa5f46912db5d63
+      - name: Show CodeQL scan SARIF report
+        if: always()
+        run: cat ../results/go.sarif
+
   vulnerability-scan:
     name: Vulnerability Scanning
     runs-on: ubuntu-latest
diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml
index d401d9a21..812803960 100644
--- a/.github/workflows/report.yml
+++ b/.github/workflows/report.yml
@@ -30,6 +30,26 @@ jobs:
           args: >
             --debug
 
+  variant-analysis:
+    name: Variant Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@2ca79b6fa8d3ec278944088b4aa5f46912db5d63
+        with:
+          languages: go
+      - name: Build code, creating CodeQL database
+        run: make build
+      - name: Run CodeQL variant analysis
+        uses: github/codeql-action/analyze@2ca79b6fa8d3ec278944088b4aa5f46912db5d63
+      - name: Show CodeQL scan SARIF report
+        if: always()
+        run: cat ../results/go.sarif
+
   vulnerability-scan:
     name: Vulnerability Scanning
     if: github.repository_owner == 'submariner-io'