gha: add CodeQL Analysis workflow#47034
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
Ah, this probably requires some additional trickery to make it work; |
| - cron: '0 9 * * 4' | ||
|
|
||
| jobs: | ||
| codeql: |
There was a problem hiding this comment.
I think we should have a matrix to analyze both dockerd and docker-proxy. Mainly because "Autobuild" will not build any of them so would need to set https://github.com/github/codeql-action/blob/8516954d603e47049b34f3da4dfac83009fcd450/autobuild/action.yml#L9 to ./cmd/dockerd and ./cmd/docker-proxy using a matrix. Can be done in follow-up.
Edit: Actually it will run make so should be fine: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#autobuild-for-go
thaJeztah
force-pushed
the
add_codeql
branch
from
fd70fa2 to
0b9a464
Compare
|
@crazy-max I added the symlink |
|
LOL.. well, almost; |
thaJeztah
force-pushed
the
add_codeql
branch
from
0b9a464 to
448ca57
Compare
thaJeztah
force-pushed
the
add_codeql
branch
from
448ca57 to
e779760
Compare
|
OK, I think it worked; at least it indicates it scanned; The "files were found but not processed" are very likely the same reason as we have this on docker/cli; CodeQL ignores |
| - name: Update Go | ||
| uses: actions/setup-go@v5 | ||
| with: | ||
| go-version: 1.22.7 |
There was a problem hiding this comment.
Maybe put go version as global env similar to other workflows
moby/.github/workflows/buildkit.yml
Line 25 in d8b7ae7
There was a problem hiding this comment.
Yeah, we should consider doing so; I'll look at that in a follow-up!
| jobs: | ||
| codeql: | ||
| runs-on: 'ubuntu-latest' | ||
| timeout-minutes: 360 |
There was a problem hiding this comment.
Ah, yes; for public repos we wouldn't be charged; mostly considering that;
- I've seen some runaway actions running for hours
- We may at times have a private fork to work on security releases; those are charged
I can make this a lot shorter though!
There was a problem hiding this comment.
put it to 10 minutes, which (based on the above) should be enough currently (we can update if that turns out to be too short)
| permissions: | ||
| actions: read | ||
| contents: read | ||
| security-events: write |
There was a problem hiding this comment.
This can just be put as global perms
There was a problem hiding this comment.
As discussed on slack; my thinking here was that we set a default at the top (contents: read), and to override only in places where it’s needed.
Slightly on the defensive side in cased (e.g.) someone decides “let’s merge these two workflows in a single YAML, and now not copying the permissions. Or vice-versa; “let’s add some other jobs to this file” which now would have more permissions than needed.
Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
force-pushed
the
add_codeql
branch
from
e779760 to
450200b
Compare
3 participants
copied from https://github.com/docker/cli/blob/88e6474350e644495a8009e9e1437332aa828a17/.github/workflows/codeql.yml
- What I did
- How I did it
- How to verify it
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)