perf: add codeql for security scan (#219)

Signed-off-by: msclock <[email protected]>
serious-scaffold · Apr 19, 2024 · d32823b · d32823b
1 parent 2de7319
commit d32823b
Show file tree

Hide file tree

Showing 7 changed files with 222 additions and 0 deletions.
diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml
@@ -0,0 +1,11 @@
+name: CodeQL config
+
+query-filters:
+  - exclude:
+      id: cpp/commented-out-code
+  - exclude:
+      id: cpp/include-non-header
+  - exclude:
+      id: cpp/loop-variable-changed
+  - exclude:
+      id: cpp/useless-expression
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,89 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: CodeQL
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [master]
+  schedule:
+    - cron: 15 4 * * 3
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-22.04
+    timeout-minutes: 15
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [cpp]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://git.io/codeql-language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        with:
+          fetch-depth: 0
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        with:
+          languages: ${{ matrix.language }}
+          config-file: ./.github/codeql-config.yml
+
+      - name: Cache
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
+        with:
+          path: |
+            ~/vcpkg
+            ~/.cache/vcpkg
+          key: x64-linux-gcc-13-${{ hashFiles('vcpkg.json') }}
+          restore-keys: x64-linux-gcc-13-${{ hashFiles('vcpkg.json') }}
+
+      - uses: aminya/setup-cpp@v1
+        with:
+          compiler: gcc-13
+          cmake: true
+          ninja: true
+          ccache: true
+
+      - name: Configure CMake
+        run: >
+          cmake -S . --preset=default
+          -DCMAKE_BUILD_TYPE=DebWithRelInfo
+          -DCMAKE_CXX_STANDARD=20
+          -DCMAKE_COMPILE_WARNING_AS_ERROR=ON
+          -DVCPKG_TARGET_TRIPLET=x64-linux
+          -DUSE_SANITIZER=OFF
+          -DCODE_COVERAGE=OFF
+          -DBUILD_TESTING=ON
+
+      - name: Build
+        run: cmake --build --preset=default --target all
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
diff --git a/copier.yml b/copier.yml
@@ -183,3 +183,9 @@ codecov_threshold:
   help: 'Specify the minimum coverage threshold for codecov:'
   type: str
   when: '{{ use_codecov == true }}'
+
+use_codeql:
+  default: true
+  help: 'Whether to add codeql integration:'
+  type: bool
+  when: '{{ repo_host_type == "github.com" }}'
diff --git a/docs/tutorials/project_management.md b/docs/tutorials/project_management.md
@@ -74,6 +74,14 @@ Codecov is a popular tool for measuring code coverage. It can be integrated with
 It is enabled by default. And you can disable the Codecov integration by passing the flag `-d/--data use_codecov=false` to copier.
 ```
 
+### CodeQL
+
+CodeQL is a static analysis tool that can be used to identify security vulnerabilities and coding errors. It can be integrated with GitHub/GitLab to provide a visual representation of the code quality of the project.
+
+```{note}
+It is enabled by default. And you can disable the CodeQL integration by passing the flag `-d/--data use_codeql=false` to copier.
+```
+
 ### Release
 
 Release is also a critical aspect of project management. It is important to follow a standardized release process to ensure that the project is well-maintained and up-to-date. We apply the [semantic-release](https://github.com/semantic-release/semantic-release) to automate the release process. At least, a permitted token is required to enable the published release can trigger the released CD pipeline.

diff --git a/...dif %]/[% if repo_name == 'ss-cpp' %]tutorials[% endif %]/project_management.md b/...dif %]/[% if repo_name == 'ss-cpp' %]tutorials[% endif %]/project_management.md
@@ -74,6 +74,14 @@ Codecov is a popular tool for measuring code coverage. It can be integrated with
 It is enabled by default. And you can disable the Codecov integration by passing the flag `-d/--data use_codecov=false` to copier.
 ```
 
+### CodeQL
+
+CodeQL is a static analysis tool that can be used to identify security vulnerabilities and coding errors. It can be integrated with GitHub/GitLab to provide a visual representation of the code quality of the project.
+
+```{note}
+It is enabled by default. And you can disable the CodeQL integration by passing the flag `-d/--data use_codeql=false` to copier.
+```
+
 ### Release
 
 Release is also a critical aspect of project management. It is important to follow a standardized release process to ensure that the project is well-maintained and up-to-date. We apply the [semantic-release](https://github.com/semantic-release/semantic-release) to automate the release process. At least, a permitted token is required to enable the published release can trigger the released CD pipeline.

diff --git a/...'github.com' %].github[% endif %]/[% if use_codeql == true %]codeql-config.yml[% endif %] b/...'github.com' %].github[% endif %]/[% if use_codeql == true %]codeql-config.yml[% endif %]
@@ -0,0 +1,11 @@
+name: CodeQL config
+
+query-filters:
+  - exclude:
+      id: cpp/commented-out-code
+  - exclude:
+      id: cpp/include-non-header
+  - exclude:
+      id: cpp/loop-variable-changed
+  - exclude:
+      id: cpp/useless-expression
diff --git a/...om' %].github[% endif %]/workflows/[% if use_codeql == true %]codeql.yml[% endif %].jinja b/...om' %].github[% endif %]/workflows/[% if use_codeql == true %]codeql.yml[% endif %].jinja
@@ -0,0 +1,89 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: CodeQL
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [master]
+  schedule:
+    - cron: 15 4 * * 3
+
+concurrency:
+  group: {{ '${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}' }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-22.04
+    timeout-minutes: 15
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [cpp]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://git.io/codeql-language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        with:
+          fetch-depth: 0
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        with:
+          languages: {{ '${{ matrix.language }}' }}
+          config-file: ./.github/codeql-config.yml
+
+      - name: Cache
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
+        with:
+          path: |
+            ~/vcpkg
+            ~/.cache/vcpkg
+          key: x64-linux-gcc-13-{{ '${{ hashFiles(\'vcpkg.json\') }}' }}
+          restore-keys: x64-linux-gcc-13-{{ '${{ hashFiles(\'vcpkg.json\') }}' }}
+
+      - uses: aminya/setup-cpp@v1
+        with:
+          compiler: gcc-13
+          cmake: true
+          ninja: true
+          ccache: true
+
+      - name: Configure CMake
+        run: >
+          cmake -S . --preset=default
+          -DCMAKE_BUILD_TYPE=DebWithRelInfo
+          -DCMAKE_CXX_STANDARD=20
+          -DCMAKE_COMPILE_WARNING_AS_ERROR=ON
+          -DVCPKG_TARGET_TRIPLET=x64-linux
+          -DUSE_SANITIZER=OFF
+          -DCODE_COVERAGE=OFF
+          -DBUILD_TESTING=ON
+
+      - name: Build
+        run: cmake --build --preset=default --target all
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9