From b02ecab9d9b49d07dc64e1cc60a300e8f2ca3e9b Mon Sep 17 00:00:00 2001
From: Yiannis <yiannis@weave.works>
Date: Mon, 2 Oct 2023 09:41:01 +0100
Subject: [PATCH] ci: Run CodeQL analysis as part of CI

---
 .github/workflows/scan.yaml | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
index c97d35658d..29c0535f49 100644
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -4,13 +4,16 @@ on:
   push:
     branches:
       - main
-      - v2
   pull_request:
     branches:
       - main
-      - v2
+  schedule:
+    - cron: '0 12 * * 1'
   workflow_dispatch:
 
+permissions:
+  contents: read # for actions/checkout to fetch code
+
 jobs:
   fossa:
     name: FOSSA
@@ -23,7 +26,24 @@ jobs:
         with:
           go-version: 1.20.X
       - name: Run FOSSA scan and upload build data
-        uses: fossa-contrib/fossa-action@v2
+        uses: fossa-contrib/fossa-action@6728dc6fe9a068c648d080c33829ffbe56565023 # v2.0.0
         with:
           fossa-api-key: 93622b4d45d39a92872a9593c815d7f3
           github-token: ${{ github.token }}
+
+  codeql:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # for codeQL to write security events
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@04daf014b50eaf774287bf3f0f1869d4b4c4b913 # v2.21.7
+        with:
+          languages: go
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@04daf014b50eaf774287bf3f0f1869d4b4c4b913 # v2.21.7
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@04daf014b50eaf774287bf3f0f1869d4b4c4b913 # v2.21.7
\ No newline at end of file