GHA CI: add CodeQL scanning

This enable codebase scanning for C++ and JavaScript languages. https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning
2024-11-25 18:56:34 +03:00 · 2023-03-12 03:11:02 +08:00 · 2023-03-12 03:11:02 +08:00 · 0f32de9d8c
commit 0f32de9d8c
parent f630d84858
4 changed files with 49 additions and 1 deletions
--- a/.github/workflows/ci_ubuntu.yaml
+++ b/.github/workflows/ci_ubuntu.yaml
@ -4,6 +4,7 @@ on: [pull_request, push]

 permissions:
  actions: write
+  security-events: write

 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@ -65,6 +66,14 @@ jobs:
          cmake --build build
          sudo cmake --install build

+      # to avoid scanning 3rdparty codebases, initialize it just before building qbt
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        if: startsWith(matrix.libt_version, 2) && (matrix.qbt_gui == 'GUI=ON') && startsWith(matrix.qt_version, 6)
+        with:
+          config-file: ./.github/workflows/helper/codeql/cpp.yaml
+          languages: cpp
+
      - name: Build qBittorrent (Qt5)
        if: ${{ startsWith(matrix.qt_version, 5) }}
        run: |
@ -104,6 +113,10 @@ jobs:
          cmake --build build --target check
          DESTDIR="qbittorrent" cmake --install build

+      - name: Run CodeQL analysis
+        uses: github/codeql-action/analyze@v2
+        if: startsWith(matrix.libt_version, 2) && (matrix.qbt_gui == 'GUI=ON') && startsWith(matrix.qt_version, 6)
+
      - name: Prepare build artifacts
        run: |
          mkdir upload
--- a/.github/workflows/ci_webui.yaml
+++ b/.github/workflows/ci_webui.yaml
@ -2,7 +2,8 @@ name: CI - WebUI

 on: [pull_request, push]

-permissions: {}
+permissions:
+  security-events: write

 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@ -36,3 +37,12 @@ jobs:
        run: |
          npm run format
          git diff --exit-code
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          config-file: ./.github/workflows/helper/codeql/js.yaml
+          languages: javascript
+
+      - name: Run CodeQL analysis
+        uses: github/codeql-action/analyze@v2
--- a/.github/workflows/helper/codeql/cpp.yaml
+++ b/.github/workflows/helper/codeql/cpp.yaml
@ -0,0 +1,14 @@
+name: "CodeQL config for C++"
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - exclude:
+      id: cpp/commented-out-code
+  - exclude:
+      id: cpp/include-non-header
+  - exclude:
+      id: cpp/loop-variable-changed
+  - exclude:
+      id: cpp/useless-expression
--- a/.github/workflows/helper/codeql/js.yaml
+++ b/.github/workflows/helper/codeql/js.yaml
@ -0,0 +1,11 @@
+name: "CodeQL config for Javascript"
+
+paths-ignore:
+  - "**/lib/*"
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - exclude:
+      id: js/superfluous-trailing-arguments