chore: Review CodeQL config (#4133)

Fixes #4032
kedacore · Jan 18, 2023 · a25f1a4 · a25f1a4
1 parent 22a5111
commit a25f1a4
Show file tree

Hide file tree

Showing 4 changed files with 75 additions and 85 deletions.
diff --git a/.github/workflows/static-analysis-codeql.yml b/.github/workflows/static-analysis-codeql.yml
@@ -0,0 +1,33 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request: {}
+
+jobs:
+  codeQl:
+    name: Analyze CodeQL Go
+    runs-on: ubuntu-latest
+    container: ghcr.io/kedacore/build-tools:1.19.5
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+    - name: Register workspace path
+      run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: go
+        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        queries: +security-and-quality
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:go"
diff --git a/.github/workflows/static-analysis-semgrep.yml b/.github/workflows/static-analysis-semgrep.yml
@@ -0,0 +1,37 @@
+name: "Semgrep"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request_target: {}
+
+jobs:
+  semgrep:
+    name: Analyze Semgrep
+    runs-on: ubuntu-latest
+    container: returntocorp/semgrep
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      - uses: actions/checkout@v3
+      - name: Register workspace path
+        if: ${{ github.event.number > 0 }}
+        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
+
+      - name: Checkout Pull Request
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        id: checkout
+        if: ${{ github.event.number > 0 }}
+        run: |
+          apk add github-cli
+          gh pr checkout ${{ github.event.number }}
+
+      - run: semgrep ci --sarif --output=semgrep.sarif
+        env:
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+
+      - name: Upload SARIF file for GitHub Advanced Security Dashboard
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: semgrep.sarif
+        if: ${{ github.event.number == '' && !cancelled() }}
diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -83,10 +83,13 @@ New deprecation(s):
 
 ### Other
 
-- **RabbitMQ Scaler:** Move from `streadway/amqp` to `rabbitmq/amqp091-go` ([#4004](https://github.com/kedacore/keda/pull/4039))
 - **General**: Bump Golang to 1.19 ([#4094](https://github.com/kedacore/keda/issues/4094))
-- **General:** Compare error with `errors.Is` ([#4004](https://github.com/kedacore/keda/pull/4004))
 - **General:** Check that ScaledObject name is specified as part of a query for getting metrics ([#4088](https://github.com/kedacore/keda/pull/4088))
+- **General:** Compare error with `errors.Is` ([#4004](https://github.com/kedacore/keda/pull/4004))
+- **General:** Review CodeQL rules and enable it on PRs ([#4032](https://github.com/kedacore/keda/pull/4032))
+- **RabbitMQ Scaler:** Move from `streadway/amqp` to `rabbitmq/amqp091-go` ([#4004](https://github.com/kedacore/keda/pull/4039))
+
+
 
 ## v2.9.2