From a2f4f5f105f41d1858626bbde7b662d41392b620 Mon Sep 17 00:00:00 2001
From: Daniel Farrell <dfarrell@redhat.com>
Date: Thu, 29 Sep 2022 12:49:57 -0400
Subject: [PATCH] Add CodeQL variant analysis scanning

This is a different type of static analysis than others we run.

> Variant analysis is the process of using a known security
vulnerability as a seed to find similar problems in your code.

https://codeql.github.com/docs/codeql-overview/about-codeql/

It identified new issues (already fixed) that our other tools missed.

The company that built it was bought by GitHub and the tool is being
integrated into GitHub's security workflow.

Add one unprivileged version of the job to gate PRs and one privileged
version on-merge to report results.

Relates-to: #1970
Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
---
 .github/workflows/linting.yml | 16 ++++++++++++++++
 .github/workflows/report.yml  | 18 ++++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
index c6fe253a3..e70e3f15c 100644
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -136,6 +136,22 @@ jobs:
       - name: Run shellcheck
         run: make shellcheck
 
+  variant-analysis:
+    name: Variant Analysis
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@86f3159a697a097a813ad9bfa0002412d97690a4
+        with:
+          languages: go
+      - name: Run CodeQL variant analysis
+        uses: github/codeql-action/analyze@86f3159a697a097a813ad9bfa0002412d97690a4
+      - name: Show CodeQL scan SARIF report
+        if: always()
+        run: cat ../results/go.sarif
+
   vulnerability-scan:
     name: Vulnerability Scanning
     runs-on: ubuntu-latest
diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml
index da6b6f1e1..0b5adb940 100644
--- a/.github/workflows/report.yml
+++ b/.github/workflows/report.yml
@@ -10,6 +10,24 @@ on:
 permissions: {}
 
 jobs:
+  variant-analysis:
+    name: Variant Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@86f3159a697a097a813ad9bfa0002412d97690a4
+        with:
+          languages: go
+      - name: Run CodeQL variant analysis
+        uses: github/codeql-action/analyze@86f3159a697a097a813ad9bfa0002412d97690a4
+      - name: Show CodeQL scan SARIF report
+        if: always()
+        run: cat ../results/go.sarif
+
   vulnerability-scan:
     name: Vulnerability Scanning
     if: github.repository_owner == 'submariner-io'