From d9123346851f81d9e116373502d73622a4cf13d6 Mon Sep 17 00:00:00 2001 From: Olga Malysheva Date: Mon, 8 Jul 2024 09:28:56 -0500 Subject: [PATCH 1/4] Add CodeQL scan workflow --- .github/workflows/codeql.yml | 86 ++++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..085161b6b8 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,86 @@ +# Copyright (c) 2024 Intel Corporation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: "CodeQL" + +on: + push: + branches: [ "master" ] + pull_request: + branches: [ "master" ] + schedule: + - cron: '0 0 * * 7' + +permissions: + contents: read + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + # timeout-minutes: + permissions: + # required for all workflows + security-events: write + # required to fetch internal or private CodeQL packs + packages: read + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + language: ["cpp", "python"] + + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # â¹ï¸ Command-line programs to run using the OS shell. + # ð See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + #- if: matrix.build-mode == 'manual' + # shell: bash + # run: | + # echo 'If you are using a "manual" build mode for one or more of the' \ + # 'languages you are analyzing, replace this with the commands to build' \ + # 'your code, for example:' + # echo ' make bootstrap' + # echo ' make release' + # exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" From 7189c47029c658096eff2bbe8e66e31c68c558bc Mon Sep 17 00:00:00 2001 From: Olga Malysheva Date: Mon, 8 Jul 2024 09:53:34 -0500 Subject: [PATCH 2/4] Change the schedule --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 085161b6b8..d47b37c550 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -20,7 +20,7 @@ on: pull_request: branches: [ "master" ] schedule: - - cron: '0 0 * * 7' + - cron: '0 0 * * 1' permissions: contents: read From 61decdf70ac68ae570f07f7948ba387349a1c66d Mon Sep 17 00:00:00 2001 From: Olga Malysheva Date: Wed, 17 Jul 2024 04:03:49 -0500 Subject: [PATCH 3/4] Use version without hash --- .github/workflows/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d47b37c550..63cd900175 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -46,7 +46,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + uses: step-security/harden-runner@v2.6.1 with: egress-policy: audit @@ -62,7 +62,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 + uses: github/codeql-action/autobuild@v3.24.10 # If the analyze step fails for one of the languages you are analyzing with # "We were unable to automatically build your code", modify the matrix above From 670ef981d6edd808fe351bd0bfa16d3792763dab Mon Sep 17 00:00:00 2001 From: Olga Malysheva Date: Wed, 17 Jul 2024 05:24:40 -0500 Subject: [PATCH 4/4] Fix encoding issue --- .github/workflows/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 63cd900175..7a80c5f0e2 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -68,8 +68,8 @@ jobs: # "We were unable to automatically build your code", modify the matrix above # to set the build mode to "manual" for that language. Then modify this step # to build your code. - # â¹ï¸ Command-line programs to run using the OS shell. - # ð See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + # Command-line programs to run using the OS shell. + # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun #- if: matrix.build-mode == 'manual' # shell: bash # run: |