chore: Enable codeql action

[naveensrinivasan]

This action runs GitHub's industry-leading semantic code analysis engine, CodeQL, against a repository's source code to find security vulnerabilities.

https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql

https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast Signed-off-by: naveen [email protected]

[naveensrinivasan]

I think this looks good, but I think it would be a good idea to have @jmrodri or @asmacdo to take a look at this as well before merging

A friendly ping

[jmrodri]

What is the plan for dealing with this action? Are we going to fail PRs because of them? Are we going to maintain these?

I like the idea but not sure if I want to maintain these long term. Do we have a report of the output to see how bad we are right now?

[everettraven]

What is the plan for dealing with this action? Are we going to fail PRs because of them? Are we going to maintain these?

I like the idea but not sure if I want to maintain these long term. Do we have a report of the output to see how bad we are right now?

@jmrodri I think we can make it so that the check won't fail PRs. I'm not sure how much maintenance this action would need on our end. I personally think just having the reports to look at would be good, even if we don't fail PRs on it. I am working on generating a report on my fork to see how it says we are now.

[naveensrinivasan]

What is the plan for dealing with this action? Are we going to fail PRs because of them? Are we going to maintain these? I like the idea but not sure if I want to maintain these long term. Do we have a report of the output to see how bad we are right now?

@jmrodri I think we can make it so that the check won't fail PRs. I'm not sure how much maintenance this action would need on our end. I personally think just having the reports to look at would be good, even if we don't fail PRs on it. I am working on generating a report on my fork to see how it says we are now.

👍

[everettraven]

Here is the current report that I was able to get from the CodeQL scan on my fork: https://github.com/everettraven/operator-sdk/security/code-scanning

Looks pretty clean from what I can tell

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

[openshift-bot]

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen. Mark the issue as fresh by commenting /remove-lifecycle rotten. Exclude this issue from closing again by commenting /lifecycle frozen.

/close

[openshift-ci[bot]]

@openshift-bot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen. Mark the issue as fresh by commenting /remove-lifecycle rotten. Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.