Add CodeQL variant analysis scanning

This is a different type of static analysis than others we run. > Variant analysis is the process of using a known security vulnerability as a seed to find similar problems in your code. https://codeql.github.com/docs/codeql-overview/about-codeql/ CodeQL doesn't only do variant analysis for security issues, it also has semantic queries/rules for other types of issues. https://github.com/github/codeql/tree/main/go/ql/src It identified new issues (already fixed) that our other tools missed. The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow. Add one unprivileged version of the job to gate PRs and one privileged version on-merge to report results. Relates-to: #1970 Signed-off-by: Daniel Farrell <[email protected]>
submariner-io · Sep 12, 2023 · 2e1770c · 2e1770c
1 parent 9fbc0b1
commit 2e1770c
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 0 deletions.
diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
@@ -130,6 +130,22 @@ jobs:
       - name: Run shellcheck
         run: make shellcheck
 
+  variant-analysis:
+    name: Variant Analysis
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@86f3159a697a097a813ad9bfa0002412d97690a4
+        with:
+          languages: go
+      - name: Run CodeQL variant analysis
+        uses: github/codeql-action/analyze@86f3159a697a097a813ad9bfa0002412d97690a4
+      - name: Show CodeQL scan SARIF report
+        if: always()
+        run: cat ../results/go.sarif
+
   vulnerability-scan:
     name: Vulnerability Scanning
     runs-on: ubuntu-latest

diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml
@@ -29,6 +29,24 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
+  variant-analysis:
+    name: Variant Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@86f3159a697a097a813ad9bfa0002412d97690a4
+        with:
+          languages: go
+      - name: Run CodeQL variant analysis
+        uses: github/codeql-action/analyze@86f3159a697a097a813ad9bfa0002412d97690a4
+      - name: Show CodeQL scan SARIF report
+        if: always()
+        run: cat ../results/go.sarif
+
   vulnerability-scan:
     name: Vulnerability Scanning
     if: github.repository_owner == 'submariner-io'