Enable GitHub Code Scanning (#148318)

This enables [GitHub Code Scanning][1] to run on the `main` branch once a day. The result of the scans can be found under [Security > Code scanning][2]. Running the code scanner takes about two hours, so it's not feasible to run for every PR, and for now I think it's too much to run on every pushed commit to `main` as well. However, this can always be enabled later as needed. The scan is configured to ignore test files and dev-dependency packages hosted inside the Kibana repo. If these were included in the scan, it would take three hours instead of two and the report would include more noise taking focus away from the important findings affecting production. [1]: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning [2]: https://github.com/elastic/kibana/security/code-scanning
2025-06-27 18:51:07 -04:00 · 2023-01-27 10:03:16 +01:00 · 2023-01-27 10:03:16 +01:00 · 2b276a9dca
commit 2b276a9dca
parent 7ee827b844
2 changed files with 122 additions and 0 deletions
--- a/.github/codeql/codeql-config.yml
+++ b/.github/codeql/codeql-config.yml
@ -0,0 +1,73 @@
+paths-ignore:
+  - '**/*.test.*'
+  - packages/kbn-ambient-common-types
+  - packages/kbn-ambient-ftr-types
+  - packages/kbn-ambient-storybook-types
+  - packages/kbn-ambient-ui-types
+  - packages/kbn-apm-synthtrace
+  - packages/kbn-axe-config
+  - packages/kbn-babel-plugin-package-imports
+  - packages/kbn-babel-preset
+  - packages/kbn-babel-register
+  - packages/kbn-babel-transform
+  - packages/kbn-bazel-packages
+  - packages/kbn-bazel-runner
+  - packages/kbn-ci-stats-core
+  - packages/kbn-ci-stats-performance-metrics
+  - packages/kbn-ci-stats-reporter
+  - packages/kbn-cli-dev-mode
+  - packages/core/test-helpers/core-test-helpers-kbn-server
+  - packages/kbn-cypress-config
+  - packages/kbn-dev-cli-errors
+  - packages/kbn-dev-cli-runner
+  - packages/kbn-dev-proc-runner
+  - packages/kbn-dev-utils
+  - packages/kbn-docs-utils
+  - packages/kbn-es
+  - packages/kbn-es-archiver
+  - packages/kbn-eslint-config
+  - packages/kbn-eslint-plugin-disable
+  - packages/kbn-eslint-plugin-eslint
+  - packages/kbn-eslint-plugin-imports
+  - packages/kbn-expect
+  - packages/kbn-failed-test-reporter-cli
+  - packages/kbn-find-used-node-modules
+  - packages/kbn-ftr-common-functional-services
+  - packages/kbn-ftr-screenshot-filename
+  - packages/kbn-generate
+  - packages/kbn-get-repo-files
+  - packages/kbn-import-resolver
+  - packages/kbn-jest-serializers
+  - packages/kbn-journeys
+  - packages/kbn-kibana-manifest-schema
+  - packages/kbn-managed-vscode-config
+  - packages/kbn-managed-vscode-config-cli
+  - packages/kbn-optimizer
+  - packages/kbn-optimizer-webpack-helpers
+  - packages/kbn-package-map
+  - packages/kbn-peggy
+  - packages/kbn-peggy-loader
+  - packages/kbn-performance-testing-dataset-extractor
+  - packages/kbn-plugin-generator
+  - packages/kbn-plugin-helpers
+  - packages/kbn-repo-path
+  - packages/kbn-repo-source-classifier
+  - packages/kbn-repo-source-classifier-cli
+  - packages/kbn-some-dev-log
+  - packages/kbn-sort-package-json
+  - packages/kbn-spec-to-console
+  - packages/kbn-stdio-dev-helpers
+  - packages/kbn-storybook
+  - packages/kbn-telemetry-tools
+  - packages/kbn-test
+  - packages/kbn-test-jest-helpers
+  - packages/kbn-test-subj-selector
+  - packages/kbn-tooling-log
+  - packages/kbn-ts-project-linter
+  - packages/kbn-ts-project-linter-cli
+  - packages/kbn-ts-projects
+  - packages/kbn-ts-type-check-cli
+  - packages/kbn-web-worker-stub
+  - packages/kbn-yarn-lock-validator
+  - test
+  - x-pack/test
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -0,0 +1,49 @@
+name: "CodeQL"
+
+on:
+  schedule:
+    - cron: '27 21 * * *' # At 21:27 every day
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'javascript' ]
+        # branch: [ 'main', '7.17' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+      # TODO: Enable once a `.github/codeql/codeql-config.yml` file has been committed to 7.17
+      # with:
+      #   ref: ${{ matrix.branch }}
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        config-file: ./.github/codeql/codeql-config.yml
+
+    # TODO: Possibly required to follow all call paths, however, when enabled, the step below runs out of memory.
+    # Possible workarounds: Apply for access to the GitHub beta where we can use beefier machines, or run it ourselves on Buildkite
+    # - name: yarn kbn bootstrap
+    #   run: |
+    #     mkdir ~/.npm-global
+    #     npm config set prefix '~/.npm-global'
+    #     export PATH=~/.npm-global/bin:$PATH
+    #     yarn kbn bootstrap --no-validate --no-vscode
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      # env:
+      #   NODE_OPTIONS: "--max-old-space-size=6144"
+      with:
+        category: "/language:${{matrix.language}}"