kibana/.github/workflows/codeql.yml at 76f62f9ac82841f62672653b56c10f81a2278795 · abhishekbhatia1710/kibana · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: "CodeQL"

on:
  schedule:
    - cron: '27 21 * * *' # At 21:27 every day

jobs:
  analyze:
    name: Analyze
    runs-on: kibana
    permissions:
      actions: read
      contents: read
      security-events: write
    if: github.repository == 'elastic/kibana' # Hack: Do not run on forks

    strategy:
      fail-fast: false
      matrix:
        language: [ 'javascript' ]
        branch: [ 'main', '8.19' ]

    steps:
    - name: Checkout repository
      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        ref: ${{ matrix.branch }}
        persist-credentials: false

    - name: Initialize CodeQL
      uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
      with:
        languages: ${{ matrix.language }}
        config-file: ./.github/codeql/codeql-config.yml
        packs: |
          githubsecuritylab/codeql-${{ matrix.language }}-queries

    # TODO: Possibly required to follow all call paths, however, when enabled, the step below runs out of memory.
    # Possible workarounds: Apply for access to the GitHub beta where we can use beefier machines, or run it ourselves on Buildkite
    # - name: yarn kbn bootstrap
    #   run: |
    #     mkdir ~/.npm-global
    #     npm config set prefix '~/.npm-global'
    #     export PATH=~/.npm-global/bin:$PATH
    #     yarn kbn bootstrap --no-validate --no-vscode

    - name: Set sha and branch
      run: |
        echo "CHECKOUT_REF=$(git symbolic-ref HEAD)" >> "$GITHUB_ENV"
        echo "CHECKOUT_SHA=$(git rev-parse HEAD)" >> "$GITHUB_ENV"

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
      env:
        NODE_OPTIONS: "--max-old-space-size=8192"
        CODEQL_EXTRACTOR_JAVASCRIPT_OPTION_SKIP_TYPES: true
        # CodeQL divides the memory between ts and jvm, though most of the memory is used by the ts.
        # We double the memory, so ts can use it in full capacity.
        # Refer to https://github.com/github/codeql/blob/59a77a873c894bca7274a7ed7c7c6d937547e9b3/javascript/resources/tools/autobuild.sh#L7-L13
        # 2 * 14576, considering our runner is 4 CPU/16GB.
        CODEQL_RAM: 29152
        CODEQL_THREADS: 2
      with:
        category: "/language:${{matrix.language}}"
        ref: ${{ env.CHECKOUT_REF }}
        sha: ${{ env.CHECKOUT_SHA }}
  alert:
    name: Alert
    runs-on: ubuntu-latest
    needs: analyze
    if: ${{ github.repository == 'elastic/kibana' && success() }} # Hack: Do not run on forks
    steps:
    - name: Checkout kibana-operations
      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        repository: 'elastic/kibana-operations'
        ref: main
        path: ./kibana-operations
        token: ${{secrets.KIBANAMACHINE_TOKEN}}
        persist-credentials: false

    - name: CodeQL alert
      working-directory: ./kibana-operations/triage
      env:
        GITHUB_TOKEN: ${{secrets.KIBANAMACHINE_TOKEN}}
        GITHUB_REPO: kibana
        SLACK_TOKEN: ${{secrets.CODE_SCANNING_SLACK_TOKEN}}
        SLACK_CHANNEL: ${{secrets.CODE_SCANNING_SLACK_CHANNEL_ID}}
        CODE_SCANNING_ES_HOST: ${{secrets.CODE_SCANNING_ES_HOST}}
        CODE_SCANNING_ES_API_KEY: ${{secrets.CODE_SCANNING_ES_API_KEY}}
        CODE_SCANNING_BRANCHES: main,8.19
      run: |
        npm ci --omit=dev
        node codeql-alert
  notify_on_failure:
    name: Failure notification
    runs-on: ubuntu-latest
    needs: analyze
    if: failure()
    steps:
      - name: Send notification to slack
        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
        with:
          method: chat.postMessage
          token: ${{ secrets.CODE_SCANNING_SLACK_TOKEN }}
          payload: |
            channel: ${{ secrets.CODE_SCANNING_SLACK_CHANNEL_ID }}
            "blocks": [
            	{
                "type": "section",
                "text": {
                  "type": "mrkdwn",
                  "text": ":broken_heart: CodeQL analysis failed for ${{ github.repository }}."
                }
              },
              {
                "type": "actions",
                "elements": [
                  {
                    "type": "button",
                    "text": {
                      "type": "plain_text",
                      "text": "View Workflow Run"
                    },
                    "url": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
                  }
                ]
              }
            ]