From a25f1a4b951b52f6f76f0b1aaa96e509fce466fb Mon Sep 17 00:00:00 2001
From: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es>
Date: Wed, 18 Jan 2023 10:33:01 +0100
Subject: [PATCH] chore: Review CodeQL config (#4133)

Fixes https://github.com/kedacore/keda/issues/4032
---
 .github/workflows/static-analysis-codeql.yml  | 33 ++++++++
 .github/workflows/static-analysis-semgrep.yml | 37 +++++++++
 .github/workflows/static-analysis.yml         | 83 -------------------
 CHANGELOG.md                                  |  7 +-
 4 files changed, 75 insertions(+), 85 deletions(-)
 create mode 100644 .github/workflows/static-analysis-codeql.yml
 create mode 100644 .github/workflows/static-analysis-semgrep.yml
 delete mode 100644 .github/workflows/static-analysis.yml

diff --git a/.github/workflows/static-analysis-codeql.yml b/.github/workflows/static-analysis-codeql.yml
new file mode 100644
index 00000000000..0e68f3c43b8
--- /dev/null
+++ b/.github/workflows/static-analysis-codeql.yml
@@ -0,0 +1,33 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request: {}
+
+jobs:
+  codeQl:
+    name: Analyze CodeQL Go
+    runs-on: ubuntu-latest
+    container: ghcr.io/kedacore/build-tools:1.19.5
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+    - name: Register workspace path
+      run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: go
+        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        queries: +security-and-quality
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:go"
diff --git a/.github/workflows/static-analysis-semgrep.yml b/.github/workflows/static-analysis-semgrep.yml
new file mode 100644
index 00000000000..066efe3d480
--- /dev/null
+++ b/.github/workflows/static-analysis-semgrep.yml
@@ -0,0 +1,37 @@
+name: "Semgrep"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request_target: {}
+
+jobs:
+  semgrep:
+    name: Analyze Semgrep
+    runs-on: ubuntu-latest
+    container: returntocorp/semgrep
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      - uses: actions/checkout@v3
+      - name: Register workspace path
+        if: ${{ github.event.number > 0 }}
+        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
+
+      - name: Checkout Pull Request
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        id: checkout
+        if: ${{ github.event.number > 0 }}
+        run: |
+          apk add github-cli
+          gh pr checkout ${{ github.event.number }}
+
+      - run: semgrep ci --sarif --output=semgrep.sarif
+        env:
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+
+      - name: Upload SARIF file for GitHub Advanced Security Dashboard
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: semgrep.sarif
+        if: ${{ github.event.number == '' && !cancelled() }}
diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
deleted file mode 100644
index 3b96f89ec76..00000000000
--- a/.github/workflows/static-analysis.yml
+++ /dev/null
@@ -1,83 +0,0 @@
-name: "Static Analysers"
-
-on:
-  push:
-    branches: [ "main" ]
-  pull_request_target: {}
-
-jobs:
-  codeQl:
-    name: Analyze CodeQL ${{ matrix.language }}
-    runs-on: ubuntu-latest
-    container: ghcr.io/kedacore/build-tools:1.19.5
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'go' ]
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v3
-
-    - name: Register workspace path
-      if: ${{ github.event.number > 0 }}
-      run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
-
-    - name: Checkout Pull Request
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      id: checkout
-      if: ${{ github.event.number > 0 }}
-      run: |
-        gh pr checkout ${{ github.event.number }}
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-
-        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-        # queries: security-extended,security-and-quality
-
-
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
-      with:
-        category: "/language:${{matrix.language}}"
-
-  semgrep:
-    name: Analyze Semgrep
-    runs-on: ubuntu-latest
-    container: returntocorp/semgrep
-    if: (github.actor != 'dependabot[bot]')
-    steps:
-      - uses: actions/checkout@v3
-      - name: Register workspace path
-        if: ${{ github.event.number > 0 }}
-        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
-
-      - name: Checkout Pull Request
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        id: checkout
-        if: ${{ github.event.number > 0 }}
-        run: |
-          apk add github-cli
-          gh pr checkout ${{ github.event.number }}
-
-      - run: semgrep ci --sarif --output=semgrep.sarif
-        env:
-          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
-
-      - name: Upload SARIF file for GitHub Advanced Security Dashboard
-        uses: github/codeql-action/upload-sarif@v2
-        with:
-          sarif_file: semgrep.sarif
-        if: ${{ github.event.number == '' && !cancelled() }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
index f90ce3fa74c..cbf98ff42de 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -83,10 +83,13 @@ New deprecation(s):
 
 ### Other
 
-- **RabbitMQ Scaler:** Move from `streadway/amqp` to `rabbitmq/amqp091-go` ([#4004](https://github.com/kedacore/keda/pull/4039))
 - **General**: Bump Golang to 1.19 ([#4094](https://github.com/kedacore/keda/issues/4094))
-- **General:** Compare error with `errors.Is` ([#4004](https://github.com/kedacore/keda/pull/4004))
 - **General:** Check that ScaledObject name is specified as part of a query for getting metrics ([#4088](https://github.com/kedacore/keda/pull/4088))
+- **General:** Compare error with `errors.Is` ([#4004](https://github.com/kedacore/keda/pull/4004))
+- **General:** Review CodeQL rules and enable it on PRs ([#4032](https://github.com/kedacore/keda/pull/4032))
+- **RabbitMQ Scaler:** Move from `streadway/amqp` to `rabbitmq/amqp091-go` ([#4004](https://github.com/kedacore/keda/pull/4039))
+
+
 
 ## v2.9.2