Merge pull request #1623 from kubearmor/add-codeql-sast

Add CodeQL for SAST

.github/workflows/ci-latest-helm-chart-release.yaml

@@ -7,6 +7,9 @@ on:
     paths:
       - "deployments/helm/**"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   publish-chart:
     name: Update Stable Helm Chart With Latest Changes

.github/workflows/ci-latest-release.yml

@@ -16,6 +16,9 @@ on:
     branches:
       - "v*"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   check:
     name: Check what pkg were updated

.github/workflows/ci-operator-release.yaml

@@ -14,6 +14,8 @@ on:
     branches:
       - "v*"
 
+# Declare default permissions as read only.
+permissions: read-all
 
 env:
   PLATFORM: linux/amd64,linux/arm64/v8

.github/workflows/ci-stable-release.yml

@@ -5,7 +5,9 @@ on:
     branches: [main]
     paths:
       - "STABLE-RELEASE"
-    #  - ".github/workflows/ci-stable-release.yml"
+
+# Declare default permissions as read only.
+permissions: read-all
 
 jobs:
   push-stable-version:

.github/workflows/ci-systemd-release.yml

@@ -5,8 +5,8 @@ on:
     tags:
       - "*"
 
-permissions:
-  contents: write
+# Declare default permissions as read only.
+permissions: read-all
 
 jobs:
   goreleaser:
@@ -33,6 +33,8 @@ jobs:
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
+        permissions:
+          contents: write
         with:
           distribution: goreleaser
           version: v1.12.2

.github/workflows/ci-test-controllers.yml

@@ -8,6 +8,9 @@ on:
       - "pkg/**"
       - ".github/workflows/ci-test-controllers.yml"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   kubearmor-controller-test:
     name: Build and Test KubeArmorController Using Ginkgo
@@ -43,7 +46,7 @@ jobs:
         run: |
           go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
           make -C tests/k8s_env/
-        timeout-minutes: 20
+        timeout-minutes: 30
 
       - name: Get karmor sysdump
         if: ${{ failure() }}

.github/workflows/ci-test-ginkgo.yml

@@ -19,6 +19,10 @@ on:
       - ".github/workflows/ci-test-ginkgo.yml"
       - "pkg/KubeArmorOperator/**"
       - "deployments/helm/**"
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     name: Auto-testing Framework / ${{ matrix.os }} / ${{ matrix.runtime }}

.github/workflows/ci-test-go.yml

@@ -3,8 +3,23 @@ name: ci-test-go
 on:
   push:
     branches: [main]
+    paths:
+      - "KubeArmor/**"
+      - "tests/**"
+      - "protobuf/**"
+      - ".github/workflows/ci-test-go.yml"
+      - "pkg/KubeArmorOperator/**"
   pull_request:
     branches: [main]
+    paths:
+      - "KubeArmor/**"
+      - "tests/**"
+      - "protobuf/**"
+      - ".github/workflows/ci-test-go.yml"
+      - "pkg/KubeArmorOperator/**"
+
+# Declare default permissions as read only.
+permissions: read-all
 
 jobs:
   go-fmt:

.github/workflows/ci-test-helm-charts.yml

@@ -12,6 +12,9 @@ on:
       - "deployments/helm/**"
       - ".github/workflows/ci-test-helm-charts.yml"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   lint:
     name: Helm Chart Tests / ubuntu 20.04

.github/workflows/ci-test-operator.yaml

@@ -17,6 +17,9 @@ on:
       - "deployments/**"
       - "KubeArmor/utils/**"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   kubearmor-operator-test:
     name: Build KubeArmor Operator

.github/workflows/ci-test-systemd.yml

@@ -16,6 +16,9 @@ on:
       - "protobuf/**"
       - ".github/workflows/ci-test-systemd.yml"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     name: Test KubeArmor in Systemd Mode

.github/workflows/ci-test-ubi-image.yml

@@ -16,6 +16,9 @@ on:
       - "protobuf/**"
       - ".github/workflows/ci-test-ginkgo.yml"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     name: Auto-testing Framework / ${{ matrix.os }} / ${{ matrix.runtime }}

.github/workflows/codeql.yml

@@ -0,0 +1,52 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '30 17 * * 5'
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: 'ubuntu-latest'
+    timeout-minutes: 30
+    permissions:
+      # required for all workflows
+      security-events: write
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: 'go'
+
+    # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v3
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:go"