Skip to content

Commit

Permalink
Filter vendor and test CodeQL results (#2243)
Browse files Browse the repository at this point in the history
Skip scanning for files under the `test/` or `vendor/` directories, or
for `_test.go` files.

Neither the Go or C/C++ CodeQL scanning support the `path-ignore` config
options, raising the warning:
```
Path filters have no effect for Go
Go does not support path-based filtering. The paths and paths-ignore configuration properties will have no effect for this language.
```

Use the recommended `advanced-security/filter-sarif` action to instead
filter results, based on [provided
example](https://github.com/advanced-security/filter-sarif?tab=readme-ov-file#example).

Remove the config file since there is nothing to configure.

Additionally, build the `securitypolicy.exe` and `dmverity-vhd` binaries
during CodeQL, and `securitypolicy` during the normal build CI.

Signed-off-by: Hamza El-Saawy <[email protected]>
  • Loading branch information
helsaawy authored Aug 23, 2024
1 parent 00640ef commit e7a1be7
Show file tree
Hide file tree
Showing 3 changed files with 45 additions and 11 deletions.
10 changes: 0 additions & 10 deletions .github/codeql/codeql-config.yml

This file was deleted.

6 changes: 6 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -698,6 +698,11 @@ jobs:
name: Build networkagent.exe
- run: ${{ env.GO_BUILD_CMD }} ./internal/tools/securitypolicy
name: Build securitypolicy.exe
- run: ${{ env.GO_BUILD_CMD }} ./internal/tools/securitypolicy
name: Build securitypolicy
env:
GOOS: linux
GOARCH: amd64
- run: ${{ env.GO_BUILD_CMD }} ./internal/tools/uvmboot
name: Build uvmboot.exe
- run: ${{ env.GO_BUILD_CMD }} ./internal/tools/zapdir
Expand All @@ -719,6 +724,7 @@ jobs:
grantvmgroupaccess.exe
networkagent.exe
securitypolicy.exe
securitypolicy
uvmboot.exe
zapdir.exe
Expand Down
40 changes: 39 additions & 1 deletion .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -68,12 +68,14 @@ jobs:
internal/tools/extendedtask,
internal/tools/grantvmgroupaccess,
internal/tools/networkagent,
internal/tools/securitypolicy
internal/tools/uvmboot,
internal/tools/zapdir,
- goos: linux
language: go, c-cpp
targets: >-
cmd/dmverity-vhd,
cmd/gcs,
cmd/gcstools,
cmd/hooks/wait-paths,
Expand All @@ -100,7 +102,6 @@ jobs:
with:
build-mode: manual
languages: ${{matrix.language}}
config-file: ./.github/codeql/codeql-config.yml

# build binaries
- name: Build go binaries
Expand All @@ -122,7 +123,44 @@ jobs:
if: ${{ matrix.goos == 'linux' }}
run: make bin/vsockexec bin/init

# only upload results if the analysis fails
# otherwise, save the output and use `advanced-security/filter-sarif` to filter paths
- name: CodeQL Analyze
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
output: sarif-results
upload: failure-only

- name: Filter Go SARIF Results
uses: advanced-security/filter-sarif@v1
with:
patterns: |
+**/*.go
-**/*_test.go
-test/**/*.go
-vendor/**/*.go
input: sarif-results/go.sarif
output: sarif-results/go.sarif

- name: Filter C/C++ SARIF Results
uses: advanced-security/filter-sarif@v1
if: ${{ matrix.goos == 'linux' }}
with:
patterns: |
+**/*
-vendor/**/*
input: sarif-results/cpp.sarif
output: sarif-results/cpp.sarif

- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: sarif-results

- name: Upload SARIF Results as Build Artifact
uses: actions/upload-artifact@v4
with:
name: sarif-results-${{ matrix.goos }}
path: sarif-results
retention-days: 1

0 comments on commit e7a1be7

Please sign in to comment.