diff --git a/.github/scripts/spellcheck.words b/.github/scripts/spellcheck.words index 728ba8d3f4..cfb5801578 100644 --- a/.github/scripts/spellcheck.words +++ b/.github/scripts/spellcheck.words @@ -121,6 +121,8 @@ CMakeLists CNA CNAME CNAMEs +CodeQL +codeql CODESET codeset CodeSonar diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..db5a930ba5 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,85 @@ +# Copyright (C) Daniel Stenberg, , et al. +# +# SPDX-License-Identifier: curl + +name: CodeQL + +'on': + push: + branches: + - master + - '*/ci' + paths-ignore: + - '**/*.md' + - '.circleci/**' + - 'appveyor.*' + - 'docs/**' + - 'packages/**' + - 'plan9/**' + - 'projects/**' + - 'tests/data/**' + - 'winbuild/**' + pull_request: + branches: + - master + paths-ignore: + - '**/*.md' + - '.circleci/**' + - 'appveyor.*' + - 'docs/**' + - 'packages/**' + - 'plan9/**' + - 'projects/**' + - 'tests/data/**' + - 'winbuild/**' + schedule: + - cron: '0 0 * * 4' + +concurrency: + group: ${{ github.workflow }} + +permissions: {} + +jobs: + codeql: + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: 'install prereqs' + run: | + sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list + sudo apt-get -o Dpkg::Use-Pty=0 update + sudo apt-get -o Dpkg::Use-Pty=0 install \ + libpsl-dev + + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3 + with: + languages: cpp + queries: security-and-quality + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + # - run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3 diff --git a/tests/CI.md b/tests/CI.md index 429bf264e0..2888acac81 100644 --- a/tests/CI.md +++ b/tests/CI.md @@ -31,8 +31,10 @@ Consider the following table while looking at pull request failures: | CI platform as shown in PR | State | What to look at next | | ----------------------------------- | ------ | -------------------------- | + | CI / codeql | stable | quality check results | | CI / fuzzing | stable | fuzzing results | | CI / macos ... | stable | all errors and failures | + | Code scanning results / CodeQL | stable | quality check results | | FreeBSD FreeBSD: ... | stable | all errors and failures | | LGTM analysis: Python | stable | new findings | | LGTM analysis: C/C++ | stable | new findings | @@ -40,6 +42,7 @@ Consider the following table while looking at pull request failures: | AppVeyor | flaky | all errors and failures | | curl.curl (linux ...) | stable | all errors and failures | | curl.curl (windows ...) | flaky | repetitive errors/failures | + | CodeQL | stable | new findings | Sometimes the tests fail due to a dependency service temporarily being offline or otherwise unavailable, for example package downloads. In this case you can @@ -58,7 +61,7 @@ GitHub Actions runs the following tests: - macOS tests with a variety of different compilation options - Fuzz tests ([see the curl-fuzzer repo for more info](https://github.com/curl/curl-fuzzer)). -- curl compiled using the Rust TLS backend with Hyper +- CodeQL static analysis These are each configured in different files in `.github/workflows`.