Add GitHub workflow for CodeQL security scanning

This workflow introduces CodeQL to automatically scan the project for security vulnerabilities, supporting efforts to maintain a secure codebase. It also helps us comply with standards like the Cybersecurity Certification Act (CCA) by ensuring continuous security monitoring.
kubernetes-sigs · Oct 31, 2024 · d4ddf42 · d4ddf42
1 parent 7dc2f08
commit d4ddf42
Showing 1 changed file with 58 additions and 0 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,58 @@
+name: "CodeQL Advanced"
+
+on:
+  # We are checking both `master` and `book-v4` branches:
+  # - `master` represents the latest development work.
+  # - `book-v4` is the latest stable release branch, which contains the latest published code,
+  #   ensuring that any issues in production are identified and addressed promptly.
+  push:
+    branches: ["master", "book-v4"]
+  pull_request:
+    branches: ["master", "book-v4"]
+  schedule:
+    - cron: '30 20 * * 1'  # Runs every Monday at 8:30 PM
+
+jobs:
+  analyze:
+    name: Analyze Go
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '1.22'
+
+      - name: Build and install Kubebuilder CLI
+        run: make install
+
+      # Preparing the project-v4 sample for CodeQL analysis:
+      # - `go mod tidy` ensures dependencies are fully resolved.
+      # - `make manifests` generates required manifests for a complete project structure.
+      # - `make build` builds the project code, ensuring all components are ready for CodeQL analysis.
+      - name: Build project-v4 sample project
+        run: |
+          cd testdata/project-v4
+          go mod tidy
+          echo 'Running build commands for Go in project-v4'
+          make manifests
+          make build
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: go
+          build-mode: autobuild
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:go"