Update CodeQL WF

Include rule filtering to filter out rules with high false positive rates, uploading CodeQL results to 'Code scanning' under the Security tab on Github, uploading CodeQL results as an artifact Signed-off-by: Brian <[email protected]>
IVOES · Feb 6, 2024 · 9c083d3 · 9c083d3
1 parent a1ca612
commit 9c083d3
Showing 1 changed file with 37 additions and 5 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -2,11 +2,7 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ "master", "codeql" ]
-  pull_request:
-    branches: [ "master", "codeql" ]
-  schedule:
-    - cron: "23 8 * * 5"
+    branches: [ "tseting2" ]
 
 jobs:
   analyze:
@@ -41,3 +37,39 @@ jobs:
         uses: github/codeql-action/analyze@v2
         with:
           category: "/language:cpp"
+          upload: false
+        id: step1
+
+      - name: Filter out unwanted errors and warnings
+        uses: advanced-security/filter-sarif@v1
+        with:
+          patterns: |
+            -**:cpp/path-injection
+            -**:cpp/world-writable-file-creation
+            -**:cpp/poorly-documented-function
+            -**:cpp/potentially-dangerous-function
+            -**:cpp/use-of-goto
+            -**:cpp/integer-multiplication-cast-to-long
+            -**:cpp/comparison-with-wider-type
+            -**:cpp/leap-year/*
+            -**:cpp/ambiguously-signed-bit-field
+            -**:cpp/suspicious-pointer-scaling
+            -**:cpp/suspicious-pointer-scaling-void
+            -**:cpp/unsigned-comparison-zero
+            -**/cmake*/Modules/**
+          input: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif
+          output: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif
+
+      - name: Upload CodeQL results to code scanning
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.step1.outputs.sarif-output }}
+          category: "/language:cpp"
+
+      - name: Upload CodeQL results as an artifact
+        if: success() || failure()
+        uses: actions/upload-artifact@v3
+        with:
+          name: codeql-results
+          path: ${{ steps.step1.outputs.sarif-output }}
+          retention-days: 5