tier4 · KeisukeShima · May 27, 2021 · May 27, 2021 · May 27, 2021 · May 27, 2021
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
@@ -0,0 +1,2 @@
+paths-ignore:
+  - '**/vendor/*'
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,60 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+  schedule:
+    - cron: '17 23 * * 3' # run at 08:17 AM Thursdays, JST
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp', 'python' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        config-file: ./.github/codeql/codeql-config.yml
+
+    - name: Setup ROS environment
+      uses: ros-tooling/[email protected]
+      with:
+        required-ros-distributions: foxy
+
+    - name: Search packages in this repository
+      id: list_packages
+      run: |
+        echo ::set-output name=package_list::$(colcon list --names-only)
+
+    - name: Concat build_depends.repos
+      run: |
+        curl -sSL -H "Authorization: token ${{ secrets.REPO_TOKEN }}" https://raw.githubusercontent.com/tier4/autoware.iv/main/build_depends.repos | sed '1d' >> build_depends.repos
+
+    - name: Run action-ros-ci
+      id: action_ros_ci_step
+      uses: ros-tooling/[email protected]
+      with:
+        package-name: ${{ steps.list_packages.outputs.package_list }}
+        target-ros2-distro: foxy
+        vcs-repo-file-url: build_depends.repos
+        import-token: ${{ secrets.REPO_TOKEN }}
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		paths-ignore:
		- '*/vendor/'
Copy link Contributor kmiya May 28, 2021 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. IMHO: In the security point of view, it might be useful to scan the vendor packages as well. If the scan for vendor packages is found to be annoying, let's ignore them. Copy link Contributor kenji-miyake May 28, 2021 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. How about testing vendor packages in another workflow? Copy link Contributor kmiya May 28, 2021 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. Ah, that might be a perfect solution! kenji-miyake reacted with thumbs up emoji Copy link Collaborator Author KeisukeShima May 28, 2021 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. I also agree with @kmiya san 's opinion. I'd like to see what it means to test in another workflow, does that mean it should be tested in the vendor's repository? Copy link Contributor kenji-miyake May 28, 2021 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. No, I meant to add `codeql-vendor-config.yml`! KeisukeShima reacted with thumbs up emoji