-
Notifications
You must be signed in to change notification settings - Fork 170
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
pipelines: Run CodeQL analysis for Go on 1ES Hosted Pool
Vendoring the Microsoft Graph SDK for Go causes memory consumption during CodeQL analysis to double due to its enormous API surface, putting it well beyond the memory limit of standard GitHub Action runners. I inquired with the Azure organization admins about provisioning larger GitHub runners, but was directed instead to use the 1ES Hosted Pool which runs our other CI checks. Since ARO controls the VM type for Hosted Pool agents, we can use a VM type with adequate memory for CodeQL analysis with the Graph SDK. Note: Implemented CodeQL commands in a template in case we ever decide to move Javascript or Python analysis to 1ES Hosted Pool as well.
- Loading branch information
Showing
3 changed files
with
64 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
parameters: | ||
- name: language | ||
type: string | ||
values: | ||
# Based on "codeql resolve languages" | ||
- cpp | ||
- csharp | ||
- csv | ||
- go | ||
- html | ||
- java | ||
- javascript | ||
- properties | ||
- python | ||
- ruby | ||
- xml | ||
- name: target | ||
type: string | ||
default: host | ||
- name: github_token | ||
type: string | ||
|
||
# Based on "Use CodeQL in CI system" documentation: | ||
# https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/about-codeql-code-scanning-in-your-ci-system | ||
steps: | ||
- script: | | ||
set -xe | ||
sarif_file=codeql-results-${{ parameters.language }}.sarif | ||
wget --quiet --output-document=- https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz | tar --extract --gunzip | ||
./codeql/codeql database create ./codeql-db --language=${{ parameters.language }} | ||
./codeql/codeql database analyze ./codeql-db --format=sarif-latest --sarif-category=no --output=${sarif_file} | ||
./codeql/codeql github upload-results --sarif=${sarif_file} --ref=$(Build.SourceBranch) | ||
env: | ||
GITHUB_TOKEN: ${{ parameters.github_token }} | ||
displayName: ⚙️ CodeQL Analysis (${{ parameters.language }}) | ||
target: ${{ parameters.target }} |