CI/CD - Add code security scanning (#206)

Add code security scanning. __Major Revisions__ * enable dependabot auto updates * scan code with CodeQL

CI/CD - Add code security scanning (#206)
Add code security scanning. __Major Revisions__ * enable dependabot auto updates * scan code with CodeQL
849b6cac · Yifan Xiong · GitHub · c9cffdf1 · 849b6cac · 849b6cac
Unverified Commit 849b6cac authored Oct 11, 2021 by Yifan Xiong Committed by GitHub Oct 11, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 81 additions and 0 deletions

.github/dependabot.yml .github/dependabot.yml +22 -0

.github/workflows/codeql-analysis.yml .github/workflows/codeql-analysis.yml +59 -0

No files found.
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
+version: 2
+updates:
+  # enable version updates for pip
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    allow:
+      - dependency-type: "direct"
+    labels:
+      - "dependencies"
+    assignees:
+      - "guoshzhao"
+  # enable version updates for npm
+  - package-ecosystem: "npm"
+    directory: "/website/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+    assignees:
+      - "abuccts"
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
+name: "CodeQL"
+
+on:
+  push:
+    branches:
+    - main
+    - release/*
+  pull_request:
+    branches:
+    - main
+    - release/*
+  schedule:
+  - cron: "30 1 * * 1"
+
+jobs:
+  analyze:
+    name: CodeQL analyze ${{ matrix.language }}
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+        - python
+        - javascript
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v2
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1
+  analyze-cpp:
+    name: CodeQL analyze cpp
+    runs-on: ubuntu-latest
+    container:
+      image: nvcr.io/nvidia/pytorch:20.12-py3
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v2
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: cpp
+    - name: Build
+      run: make cppbuild -j
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1