Skip to content

ci: add CodeQL security scanning workflow#264

Merged
thananon merged 5 commits intodevelopfrom
users/tpatinya/add-codeql-v2
Apr 24, 2026
Merged

ci: add CodeQL security scanning workflow#264
thananon merged 5 commits intodevelopfrom
users/tpatinya/add-codeql-v2

Conversation

@thananon
Copy link
Copy Markdown
Contributor

@thananon thananon commented Apr 24, 2026

Summary

Add CodeQL static analysis workflow following ROCm project standards (amdsmi/aqlprofile pattern) to scan C/C++ code for security vulnerabilities.

Details

  • Runs on develop and mainline branch pushes and PRs
  • Weekly scheduled scan on Fridays at 6:34 PM UTC
  • Uses security-extended query suite for comprehensive coverage
  • Builds with minimal dependencies (no NIC/MPI) for faster analysis

Motivation

Part of TheRock component onboarding requirements - Security & Compliance check.

Testing

Workflow will run automatically on this PR. Expected to complete successfully with the minimal build configuration.

@thananon
ci: add CodeQL security scanning workflow
c560e8f 
Add CodeQL static analysis workflow following ROCm project standards
(amdsmi/aqlprofile pattern). Scans C/C++ code for security vulnerabilities.

- Runs on develop/mainline branch pushes and PRs
- Weekly scheduled scan on Fridays
- Uses security-extended query suite
- Builds with minimal dependencies (no NIC/MPI) for faster analysis

Part of TheRock component onboarding requirements.
@thananon thananon requested a review from a team as a code owner April 24, 2026 19:30
@thananon
fix: use ROCm container for CodeQL build
c6b1f9c 
CodeQL analysis needs ROCm/HIP installed to build TransferBench.
Switch to rocm/dev-ubuntu-22.04 container following aqlprofile pattern.

- Add git installation in container
- Configure git safe directory
- Add CMAKE_PREFIX_PATH=/opt/rocm for hip-config.cmake discovery
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Apr 24, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@nileshnegi nileshnegi requested a review from Copilot April 24, 2026 20:02
nileshnegi
nileshnegi reviewed Apr 24, 2026
View reviewed changes
Comment thread .github/workflows/codeql.yml
Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a GitHub Actions CodeQL workflow to run C/C++ static security analysis for TransferBench as part of TheRock onboarding Security & Compliance requirements.

Changes:

  • Introduces a new .github/workflows/codeql.yml workflow for CodeQL scanning on pushes/PRs to develop and mainline, plus a weekly scheduled run.
  • Configures CodeQL to use the security-extended query suite and performs a minimal CMake build (NIC/MPI disabled) to drive analysis.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/codeql.yml Outdated
Comment thread .github/workflows/codeql.yml
Comment thread .github/workflows/codeql.yml Outdated
Comment thread .github/workflows/codeql.yml Outdated
thananon and others added 2 commits April 24, 2026 15:23
@thananon
Potential fix for pull request finding
eb50327 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@thananon
ci: address Copilot review feedback on CodeQL workflow
2c44bc4 
- Add -y flag to apt-add-repository to avoid interactive prompts
- Replace safe.directory wildcard with GITHUB_WORKSPACE for minimal permissions

Rationale:
1. Interactive prompts can hang CI jobs waiting for user input
2. Using '*' for safe.directory is unnecessarily permissive; GITHUB_WORKSPACE
   provides sufficient access while maintaining defense-in-depth

Note: Container image intentionally remains unpinned per maintainer preference
@thananon
Copy link
Copy Markdown
Contributor Author

thananon commented Apr 24, 2026

Copilot review feedback addressed in commit 2c44bc4:

  1. Interactive prompts: Added -y flag to apt-add-repository to prevent CI jobs from hanging on confirmation prompts

  2. Git safe.directory permissions: Replaced wildcard '*' with ${GITHUB_WORKSPACE} for minimal necessary permissions while maintaining defense-in-depth

  3. Container tag: Intentionally kept rocm/dev-ubuntu-22.04:latest unpinned per maintainer preference (see thread)

  4. YAML indentation: No action needed - YAML syntax is valid and parses correctly

@thananon thananon merged commit a76e516 into develop Apr 24, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nileshnegi nileshnegi nileshnegi approved these changes

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@thananon @github-advanced-security @nileshnegi