diff --git a/.gitignore b/.gitignore index b366a77b..1359b51d 100644 --- a/.gitignore +++ b/.gitignore @@ -51,3 +51,6 @@ bin/ # other caches **/.cache/** + +# codeql +**/.codeql/** diff --git a/codeql/README.md b/codeql/README.md new file mode 100644 index 00000000..c151360b --- /dev/null +++ b/codeql/README.md @@ -0,0 +1,60 @@ +# CodeQL + +Custom CodeQL model packs. + +## Development + +1. Install codeql CLI + (https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/setting-up-the-codeql-cli) + +```sh +# https://formulae.brew.sh/cask/codeql +brew install --cask codeql +``` + +### Setup + +`codeql pack init` + +- https://docs.github.com/en/code-security/tutorials/customize-code-scanning/creating-and-working-with-codeql-packs + +## Publishing + +1. `cd` into the directory containing the `qlpack.yml` file. +2. If needed, bump the version in the `qlpack.yml` + 1. Check versions already published at + https://github.com/orgs/smartcontractkit/packages +3. `gh auth token | codeql pack publish --github-auth-stdin` + +## Using + +### CodeQL Default + +As far as I can tell, there is no way to configure specific repos to use +_separately_ published CodeQL model packs. + +You can use model packs declared explicitly in your repository though. If you +wish to do this, follow +[these instructions](https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/manage-your-configuration/editing-your-configuration-of-default-setup#extending-codeql-coverage-with-codeql-model-packs-in-default-setup). + +#### At the org-level + +At the org-level, you can configure all default CodeQL setups to include +specific model packs. See +[these docs](https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/manage-your-configuration/editing-your-configuration-of-default-setup#extending-coverage-for-all-repositories-in-an-organization). + +### CodeQL Advanced + +CodeQL Advanced requires passing in a config or a pack explicitly. + +For example: + +`.github/codeql/codeql-actions.yml` + +```yml +packs: + - smartcontractkit/actions-all-extension@^ + +queries: + - uses: security-extended +``` diff --git a/codeql/actions/codeql-pack.lock.yml b/codeql/actions/codeql-pack.lock.yml new file mode 100644 index 00000000..53004274 --- /dev/null +++ b/codeql/actions/codeql-pack.lock.yml @@ -0,0 +1,4 @@ +--- +lockVersion: 1.0.0 +dependencies: {} +compiled: false diff --git a/codeql/actions/models/trusted-owner.model.yml b/codeql/actions/models/trusted-owner.model.yml new file mode 100644 index 00000000..31f49d77 --- /dev/null +++ b/codeql/actions/models/trusted-owner.model.yml @@ -0,0 +1,11 @@ +# See: https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-actions/#example-extend-the-trusted-actions-publishers-for-the-actions-unpinned-tag-query +# I believe the default configuration is here: https://github.com/github/codeql/blob/main/actions/ql/lib/ext/config/trusted_actions_owner.yml +extensions: + - addsTo: + pack: codeql/actions-all + extensible: trustedActionsOwnerDataModel + data: + - ["smartcontractkit"] + - ["actions"] + - ["github"] + - ["advanced-security"] diff --git a/codeql/actions/qlpack.yml b/codeql/actions/qlpack.yml new file mode 100644 index 00000000..05f01101 --- /dev/null +++ b/codeql/actions/qlpack.yml @@ -0,0 +1,7 @@ +name: smartcontractkit/actions-all-extension +version: 1.0.0 +library: true +extensionTargets: + codeql/actions-all: "*" +dataExtensions: + - models/**/*.yml