Add CodeQL variant analysis scanning

This is a different type of static analysis than any others we run. It identifies new issues that are missed by our other tools. The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow. Relates-to: submariner-io/submariner#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
dfarrell07 · Aug 25, 2022 · 32d7368 · 32d7368
1 parent a4d259b
commit 32d7368
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
@@ -138,6 +138,24 @@ jobs:
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}
 
+  variant-analysis:
+    name: Variant Analysis
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@2ca79b6fa8d3ec278944088b4aa5f46912db5d63
+        with:
+          languages: go
+      - name: Build code, creating CodeQL database
+        run: make build
+      - name: Run CodeQL variant analysis
+        uses: github/codeql-action/analyze@2ca79b6fa8d3ec278944088b4aa5f46912db5d63
+      - name: Show CodeQL scan SARIF report
+        if: always()
+        run: cat ../results/go.sarif
+
   yaml-lint:
     name: YAML
     runs-on: ubuntu-latest