Add CodeQL variant analysis scanning

This is a different type of static analysis than others we run. It identified new issues (already fixed) that our other tool missed. The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow. Add one unprivileged version of the job to gate PRs and one privileged version on-merge to report results. Relates-to: submariner-io/submariner#1970 Signed-off-by: Daniel Farrell <[email protected]>
submariner-io · Aug 26, 2022 · 59b0c89 · 59b0c89
1 parent 2c4de45
commit 59b0c89
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 0 deletions.
diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
@@ -138,6 +138,24 @@ jobs:
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}
 
+  variant-analysis:
+    name: Variant Analysis
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@2ca79b6fa8d3ec278944088b4aa5f46912db5d63
+        with:
+          languages: go
+      - name: Build code, creating CodeQL database
+        run: make build
+      - name: Run CodeQL variant analysis
+        uses: github/codeql-action/analyze@2ca79b6fa8d3ec278944088b4aa5f46912db5d63
+      - name: Show CodeQL scan SARIF report
+        if: always()
+        run: cat ../results/go.sarif
+
   yaml-lint:
     name: YAML
     runs-on: ubuntu-latest

diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml
@@ -31,3 +31,28 @@ jobs:
         uses: github/codeql-action/upload-sarif@c7f292ea4f542c473194b33813ccd4c207a6c725
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}
+
+  variant-analysis:
+    name: Variant Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@2ca79b6fa8d3ec278944088b4aa5f46912db5d63
+        with:
+          languages: go
+      - name: Build code, creating CodeQL database
+        run: make build
+      - name: Run CodeQL variant analysis
+        uses: github/codeql-action/analyze@2ca79b6fa8d3ec278944088b4aa5f46912db5d63
+      - name: Show CodeQL scan SARIF report
+        if: always()
+        run: cat ../results/go.sarif
+      - name: Upload CodeQL scan SARIF report
+        if: always()
+        uses: github/codeql-action/upload-sarif@7fee4ca032ac341c12486c4c06822c5221c76533
+        with:
+          sarif_file: ../results/go.sarif