Add CodeQL variant analysis scanning

This is a different type of static analysis than others we run. > Variant analysis is the process of using a known security vulnerability as a seed to find similar problems in your code. https://codeql.github.com/docs/codeql-overview/about-codeql/ It identified new issues (already fixed) that our other tools missed. The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow. Add one unprivileged version of the job to gate PRs and one privileged version on-merge to report results. Relates-to: submariner-io#1970 Signed-off-by: Daniel Farrell <[email protected]>
dfarrell07 · Sep 29, 2022 · a2f4f5f · a2f4f5f
1 parent 013bba2
commit a2f4f5f
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 0 deletions.
diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
@@ -136,6 +136,22 @@ jobs:
       - name: Run shellcheck
         run: make shellcheck
 
+  variant-analysis:
+    name: Variant Analysis
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@86f3159a697a097a813ad9bfa0002412d97690a4
+        with:
+          languages: go
+      - name: Run CodeQL variant analysis
+        uses: github/codeql-action/analyze@86f3159a697a097a813ad9bfa0002412d97690a4
+      - name: Show CodeQL scan SARIF report
+        if: always()
+        run: cat ../results/go.sarif
+
   vulnerability-scan:
     name: Vulnerability Scanning
     runs-on: ubuntu-latest

diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml
@@ -10,6 +10,24 @@ on:
 permissions: {}
 
 jobs:
+  variant-analysis:
+    name: Variant Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@86f3159a697a097a813ad9bfa0002412d97690a4
+        with:
+          languages: go
+      - name: Run CodeQL variant analysis
+        uses: github/codeql-action/analyze@86f3159a697a097a813ad9bfa0002412d97690a4
+      - name: Show CodeQL scan SARIF report
+        if: always()
+        run: cat ../results/go.sarif
+
   vulnerability-scan:
     name: Vulnerability Scanning
     if: github.repository_owner == 'submariner-io'