From b0d86a71597d898da5bdc7dae8ca4afeb21a1144 Mon Sep 17 00:00:00 2001 From: Vaxry <43317083+vaxerski@users.noreply.github.com> Date: Mon, 17 Apr 2023 17:16:19 +0100 Subject: [PATCH] CI: Add CodeQL (#2088) --- .github/workflows/flawfinder.yml | 30 ----------- .github/workflows/security-checks.yml | 76 +++++++++++++++++++++++++++ 2 files changed, 76 insertions(+), 30 deletions(-) delete mode 100644 .github/workflows/flawfinder.yml create mode 100644 .github/workflows/security-checks.yml diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml deleted file mode 100644 index e1df95dc..00000000 --- a/.github/workflows/flawfinder.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: Flawfinder - -on: - push: - branches: [ main ] - pull_request: - branches: [ main ] - -jobs: - flawfinder: - name: Flawfinder Checks - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Scan with Flawfinder - uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c - with: - arguments: '--sarif ./' - output: 'flawfinder_results.sarif' - - - name: Upload analysis results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ${{github.workspace}}/flawfinder_results.sarif diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml new file mode 100644 index 00000000..6b7d71e5 --- /dev/null +++ b/.github/workflows/security-checks.yml @@ -0,0 +1,76 @@ +name: Security Checks + +on: [push, pull_request] + +jobs: + flawfinder: + name: Flawfinder Checks + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Scan with Flawfinder + uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c + with: + arguments: '--sarif ./' + output: 'flawfinder_results.sarif' + + - name: Upload analysis results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{github.workspace}}/flawfinder_results.sarif + + codeql: + name: CodeQL + runs-on: ubuntu-latest + container: + image: archlinux + + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'cpp' ] + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + + - name: Init Hyprland build + run: | + sed -i 's/SigLevel = Required DatabaseOptional/SigLevel = Optional TrustAll/' /etc/pacman.conf + pacman --noconfirm --noprogressbar -Syyu + pacman --noconfirm --noprogressbar -Sy glslang libepoxy libfontenc libxcvt libxfont2 libxkbfile vulkan-headers vulkan-validation-layers xcb-util-errors xcb-util-renderutil xcb-util-wm xorg-fonts-encodings xorg-server-common xorg-setxkbmap xorg-xkbcomp xorg-xwayland git cmake go clang lld libc++ pkgconf meson ninja wayland wayland-protocols libinput libxkbcommon pixman glm libdrm libglvnd cairo pango systemd scdoc base-devel seatd python libliftoff + useradd -m githubuser + echo -e "root ALL=(ALL:ALL) ALL\ngithubuser ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers + su githubuser -c "cd ~ && git clone https://aur.archlinux.org/libdisplay-info.git && cd ./libdisplay-info && makepkg -si --skippgpcheck --noconfirm --noprogressbar" + git config --global --add safe.directory /__w/Hyprland/Hyprland + + - name: Checkout Hyprland + uses: actions/checkout@v3 + with: + submodules: recursive + + - name: Build Hyprland + run: | + git submodule sync --recursive && git submodule update --init --force --recursive + make all + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}"