malcontent/.github/workflows/codeql.yaml at 482a80cb98edad76e7f623bea6e402f4e7dec3c3 · chainguard-dev/malcontent · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
# Copyright 2025 Chainguard, Inc.
# SPDX-License-Identifier: Apache-2.0

name: "CodeQL Advanced"

on:
  pull_request:
  push:
    branches: ["main"]
  schedule:
    - cron: "35 23 * * 0"

env:
  CGO_ENABLED: "1"
  CODEQL_EXTRACTOR_GO_BUILD_TRACING: "on"
  YARA_X_RELEASE: "1.17.0"

permissions: {}

jobs:
  analyze:
    if: ${{ github.repository == 'chainguard-dev/malcontent' }}
    runs-on: ubuntu-latest-16-core
    permissions:
      actions: read
      contents: read
      packages: read
      security-events: write
    steps:
      - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
        with:
          egress-policy: block
          allowed-endpoints: >
            *.blob.core.windows.net:443
            *.githubapp.com:443
            api.github.com:443
            dl.google.com:443
            github.com:443
            go.dev:443
            index.crates.io:443
            objects.githubusercontent.com:443
            proxy.golang.org:443
            release-assets.githubusercontent.com:443
            static.crates.io:443
            static.rust-lang.org:443
            storage.googleapis.com:443
            sum.golang.org:443
            uploads.github.com:443
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Cache yara-x-capi installation
        id: yara-x-capi
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: yara-x-install
          key: yara-x-capi-v${{ env.YARA_X_RELEASE }}-${{ runner.os }}
      - name: Checkout virusTotal/yara-x
        if: steps.yara-x-capi.outputs.cache-hit != 'true'
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
          fetch-depth: 0
          fetch-tags: true
          repository: virusTotal/yara-x
          path: yara-x
          ref: refs/tags/v${{ env.YARA_X_RELEASE }}
      - name: Install Rust for yara-x-capi
        if: steps.yara-x-capi.outputs.cache-hit != 'true'
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
        with:
          toolchain: stable
      - name: Cache Rust dependencies
        if: steps.yara-x-capi.outputs.cache-hit != 'true'
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ~/.cargo/registry/
            ~/.cargo/git/
          key: rust-cargo-v${{ env.YARA_X_RELEASE }}-${{ runner.os }}
          restore-keys: rust-cargo-
      - name: Build yara-x-capi
        if: steps.yara-x-capi.outputs.cache-hit != 'true'
        env:
          WORKSPACE: ${{ github.workspace }}
        run: |
          command -v cargo-cinstall || cargo install cargo-c --locked
          cd "${WORKSPACE}/yara-x"
          RUSTFLAGS="-C target-feature=+crt-static" cargo cinstall -p yara-x-capi --features=native-code-serialization \
            --profile release-lto \
            --pkgconfigdir="${WORKSPACE}/yara-x-install" \
            --includedir="${WORKSPACE}/yara-x-install" \
            --libdir="${WORKSPACE}/yara-x-install" \
            --crt-static --library-type="staticlib"
          rm -rf "${WORKSPACE}/yara-x"
      - name: Set up Go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version-file: "go.mod"
          check-latest: true
          cache: true
      - name: Initialize CodeQL
        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
        with:
          languages: go
          build-mode: manual
      - run: |
          go build -o /dev/null ./...
          go test -o /dev/null -c ./...
        env:
          PKG_CONFIG_PATH: ${{ github.workspace }}/yara-x-install
          LD_LIBRARY_PATH: ${{ github.workspace }}/yara-x-install
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
        with:
          category: "/language:go"
  analyze-actions:
    if: ${{ github.repository == 'chainguard-dev/malcontent' }}
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      packages: read
      security-events: write
    steps:
      - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
        with:
          egress-policy: block
          allowed-endpoints: >
            *.blob.core.windows.net:443
            *.githubapp.com:443
            api.github.com:443
            dl.google.com:443
            github.com:443
            go.dev:443
            objects.githubusercontent.com:443
            proxy.golang.org:443
            release-assets.githubusercontent.com:443
            storage.googleapis.com:443
            sum.golang.org:443
            uploads.github.com:443
      - name: Checkout repository
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Initialize CodeQL
        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
        with:
          languages: actions
          build-mode: none
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
        with:
          category: "/language:actions"