Filter vendor and test CodeQL results

Skip scanning for files under the `test/` or `vendor/` directories, or
for `_test.go` files.

Neither the Go or C/C++ CodeQL scanning support the `path-ignore` config
options, raising the warning:
```
Path filters have no effect for Go
Go does not support path-based filtering. The paths and paths-ignore configuration properties will have no effect for this language.
```

Use the recommended `advanced-security/filter-sarif` action to instead
filter results, based on [provided
example](https://github.com/advanced-security/filter-sarif?tab=readme-ov-file#example).

Remove the config file since there is nothing to configure.

Additionally, build the `securitypolicy.exe` and `dmverity-vhd` binaries
during CodeQL, and `securitypolicy` during the normal build CI.

Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com>

.github/workflows/ci.yml

@@ -698,6 +698,11 @@ jobs:
         name: Build networkagent.exe
       - run: ${{ env.GO_BUILD_CMD }} ./internal/tools/securitypolicy
         name: Build securitypolicy.exe
+      - run: ${{ env.GO_BUILD_CMD }} ./internal/tools/securitypolicy
+        name: Build securitypolicy
+        env:
+          GOOS: linux
+          GOARCH: amd64
       - run: ${{ env.GO_BUILD_CMD }} ./internal/tools/uvmboot
         name: Build uvmboot.exe
       - run: ${{ env.GO_BUILD_CMD }} ./internal/tools/zapdir
@@ -719,6 +724,7 @@ jobs:
             grantvmgroupaccess.exe
             networkagent.exe
             securitypolicy.exe
+            securitypolicy
             uvmboot.exe
             zapdir.exe
 

.github/workflows/codeql.yml

@@ -68,12 +68,14 @@ jobs:
               internal/tools/extendedtask,
               internal/tools/grantvmgroupaccess,
               internal/tools/networkagent,
+              internal/tools/securitypolicy
               internal/tools/uvmboot,
               internal/tools/zapdir,
 
           - goos: linux
             language: go, c-cpp
             targets: >-
+              cmd/dmverity-vhd,
               cmd/gcs,
               cmd/gcstools,
               cmd/hooks/wait-paths,
@@ -100,7 +102,6 @@ jobs:
         with:
           build-mode: manual
           languages: ${{matrix.language}}
-          config-file: ./.github/codeql/codeql-config.yml
 
       # build binaries
       - name: Build go binaries
@@ -122,7 +123,44 @@ jobs:
         if: ${{ matrix.goos == 'linux' }}
         run: make bin/vsockexec bin/init
 
+      # only upload results if the analysis fails
+      # otherwise, save the output and use `advanced-security/filter-sarif` to filter paths
       - name: CodeQL Analyze
         uses: github/codeql-action/analyze@v3
         with:
           category: "/language:${{matrix.language}}"
+          output: sarif-results
+          upload: failure-only
+
+      - name: Filter Go SARIF Results
+        uses: advanced-security/filter-sarif@v1
+        with:
+          patterns: |
+            +**/*.go
+            -**/*_test.go
+            -test/**/*.go
+            -vendor/**/*.go
+          input: sarif-results/go.sarif
+          output: sarif-results/go.sarif
+
+      - name: Filter C/C++ SARIF Results
+        uses: advanced-security/filter-sarif@v1
+        if: ${{ matrix.goos == 'linux' }}
+        with:
+          patterns: |
+            +**/*
+            -vendor/**/*
+          input: sarif-results/cpp.sarif
+          output: sarif-results/cpp.sarif
+
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: sarif-results
+
+      - name: Upload SARIF Results as Build Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sarif-results
+          path: sarif-results
+          retention-days: 1