CodeQL workflow for Java

[cko-developer-portal[bot]]

Issue

PIMOB-2199

Why has this PR been raised?

The Engineering Experience and Security teams have been working together to help secure our repositories. This includes enabling Github features such as Advanced Security and Secret Scanning.

This PR is to add a Github Actions workflow for running CodeQL.

What is CodeQL?

CodeQL is the analysis engine used by developers to automate security checks, and by security, researchers to perform variant analysis.

In CodeQL, code is treated like data. Security vulnerabilities, bugs, and other errors are modeled as queries that can be executed against databases extracted from code. You can run the standard CodeQL queries, written by GitHub researchers and community contributors, or write your own to use in custom analyses. Queries that find potential bugs highlight the result directly in the source file.

See more details here.

What does my team need to do?

To run this workflow you might need to make a few changes to this file.

Some changes are:

• Allow GitHub actions created by GitHub in all repositories following this guide
• Add any other branches you wish to scan
• Exclude any test files or projects you do not wish to scan

Running on public runners

CodeQL workflow is pre-configured to run on self-hosted runners associated with your organization by default. If organization does not have any self hosted runners, submit a request via Fresh Service(GitHub Organisation Self Hosted Runners Onboarding).

However, as an exception or in case of unforeseen failure you can update your workflow to run on public runners.

• Change the runs on: [...] to runs on: [ubuntu-latest]
• Prepare/build your application the way you would do normally so that CodeQL can analyze it
• Make sure your self-hosted runners satisfy CodeQL resource requirements

What should we do if we have any problems with this?

If you encounter any issues, please message the #ask-security channel, a Security Champion in your team or Engineering area, or Application Security (Andra Lezza)

Why has this PR been raised again, we closed the last one.

If your repo is not part of an exemption list and has been tagged as needing to be scanned, you will need to first merge the codeql-analysis*.yml file and kick off a code scan before closing the PR.

[github-advanced-security[bot]]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.