Add CodeQL scan

Maxim-Doronin · Maxim-Doronin · commit b8af72bfdac8 · 2025-04-11T11:09:49.000+01:00
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,61 @@
+name: "CodeQL Advanced"
+
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - develop
+  schedule:
+    - cron: '24 8 * * 6'
+
+concurrency:
+  group: linux-${{ github.event_name }}-${{ github.ref_name }}-codeql
+  cancel-in-progress: true
+
+permissions: read-all
+
+jobs:
+  AnalyzePython:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest-8-cores
+    permissions:
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: actions
+          build-mode: none
+        - language: python
+          build-mode: none
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+      with:
+        category: "/language:${{matrix.language}}"
+
+  AnalyzeCPP:
+    name: Analyze c-cpp
+    uses: ./.github/workflows/job_linux.yml
+    permissions:
+      actions: read
+      contents: read
+      packages: read
+      statuses: read
+      security-events: write
+    with:
+      os: ubuntu_24_04
+      build-runner: ubuntu-latest-64-cores
+      build-mlir: true
+      build-driver: false
+      with-codeql: true
diff --git a/.github/workflows/job_build_driver_linux.yml b/.github/workflows/job_build_driver_linux.yml
@@ -32,7 +32,11 @@ defaults:
   run:
     shell: bash
 
-permissions: read-all
+permissions:
+  actions: read
+  contents: read
+  packages: read
+  statuses: read
 
 jobs:
   Build:
@@ -140,7 +144,7 @@ jobs:
         uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: ${{ env.NPU_DRIVER_INSTALL_DIR }}
-          key: ${{ needs.Cache.outputs.cache-key }}
+          key: ${{ steps.cache-key.outputs.cache-key }}
 
       - name: Upload artifacts
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
diff --git a/.github/workflows/job_build_mlir_linux.yml b/.github/workflows/job_build_mlir_linux.yml
@@ -27,6 +27,11 @@ on:
         description: 'Cache package suffix'
         type: string
         required: false
+      with-codeql:
+        description: 'Whether to run CodeQL static C/C++ analyzer'
+        type: boolean
+        required: false
+        default: false
       with-tests:
         description: 'Whether to build test targets'
         type: boolean
@@ -41,15 +46,25 @@ defaults:
   run:
     shell: bash
 
-permissions: read-all
+permissions:
+  actions: read
+  contents: read
+  packages: read
+  statuses: read
 
 jobs:
   Build:
     name: Build
     runs-on: ${{ inputs.build-runner }}
     timeout-minutes: 240
+    permissions:
+      actions: read
+      contents: read
+      packages: read
+      statuses: read
+      security-events: write
     outputs:
-      build-package: ${{ steps.set-build-package-name.outputs.build-package }} 
+      build-package: ${{ steps.set-build-package-name.outputs.build-package }}
     env:
       DEBIAN_FRONTEND: noninteractive
       CMAKE_BUILD_TYPE: 'Release'
@@ -60,6 +75,8 @@ jobs:
       NPU_COMPILER_BUILD_DIR: ./npu_compiler_build
       OPENVINO_INSTALL_DIR: ./openvino_install
       OPENVINO_BUILD_PACKAGE: l_ov_dyn_${{ inputs.os }}_npu_${{ github.sha }}
+      CODEQL_OUTPUTS: ./codeql_outputs
+      CODEQL_ARTIFACT_NAME: l_codeql_${{ inputs.os }}_npu_${{ github.sha }}
     steps:
       - name: Get cache key
         if: ${{ inputs.build-cache }}
@@ -131,6 +148,14 @@ jobs:
             echo "ENABLE_TESTS_FLAG=OFF" >> $GITHUB_ENV
           fi
 
+      - name: Initialize CodeQL
+        if: ${{ !steps.cache-restore.outputs.cache-hit && inputs.with-codeql }}
+        uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+        with:
+          languages: c-cpp
+          build-mode: manual
+          source-root: ${{ env.NPU_COMPILER_REPO }}
+
       - name: CMake configure - OpenVINO
         if: ${{ !steps.cache-restore.outputs.cache-hit }}
         run: |
@@ -209,12 +234,51 @@ jobs:
           cmake --install ${NPU_COMPILER_BUILD_DIR} --config ${{ env.CMAKE_BUILD_TYPE }} --prefix ${OPENVINO_INSTALL_DIR}
           cmake --install ${NPU_COMPILER_BUILD_DIR} --config ${{ env.CMAKE_BUILD_TYPE }} --prefix ${OPENVINO_INSTALL_DIR} --component tests
 
+      - name: Perform CodeQL Analysis
+        id: codeql-analyze
+        if: ${{ !steps.cache-restore.outputs.cache-hit && inputs.with-codeql }}
+        uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+        with:
+          category: "/language:c-cpp"
+          output: ${{ env.CODEQL_OUTPUTS }}
+          upload: failure-only
+          checkout_path: ${{ env.NPU_COMPILER_REPO }}
+
+      - name: Filter CodeQL results
+        id: codeql-filtered-analyze
+        if: ${{ !steps.cache-restore.outputs.cache-hit && inputs.with-codeql }}
+        uses: advanced-security/filter-sarif@bc96d9fb9338c5b48cc440b1b4d0a350b26a20db # Release 1.0
+        with:
+          input: ${{ env.CODEQL_OUTPUTS }}/cpp.sarif
+          output: ${{ env.CODEQL_OUTPUTS }}/filtered-results.sarif
+          patterns: |
+            +**
+            -thirdparty/flatbuffers/**
+            -thirdparty/gtest-parallel/**
+            -thirdparty/llvm-project/**
+            -thirdparty/yaml-cpp/**
+
+      - name: Upload CodeQL SARIF
+        if: ${{ !steps.cache-restore.outputs.cache-hit && inputs.with-codeql }}
+        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+        with:
+          sarif_file: ${{ env.CODEQL_OUTPUTS }}/filtered-results.sarif
+          checkout_path: ${{ env.NPU_COMPILER_REPO }}
+
+      - name: Upload CodeQL loc as a Build Artifact
+        if: ${{ !steps.cache-restore.outputs.cache-hit && inputs.with-codeql }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.CODEQL_ARTIFACT_NAME }}
+          path: ${{ env.CODEQL_OUTPUTS }}
+          retention-days: 1
+
       - name: Cache artifacts
         if: ${{ inputs.build-cache && !steps.cache-restore.outputs.cache-hit }}
         uses: actions/cache/save@v4
         with:
           path: ${{ env.OPENVINO_INSTALL_DIR }}
-          key: ${{ needs.Cache.outputs.cache-key }}
+          key: ${{ steps.cache-key.outputs.cache-key }}
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v4
diff --git a/.github/workflows/job_linux.yml b/.github/workflows/job_linux.yml
@@ -45,6 +45,11 @@ on:
         description: 'Cache package suffix'
         type: string
         required: false
+      with-codeql:
+        description: 'Whether to run CodeQL static C/C++ analyzer'
+        type: boolean
+        required: false
+        default: false
       run-unit-tests:
         description: 'Whether to run NPU Compiler unit tests'
         type: boolean
@@ -65,7 +70,11 @@ defaults:
   run:
     shell: bash
 
-permissions: read-all
+permissions:
+  actions: read
+  contents: read
+  packages: read
+  statuses: read
 
 env:
   OPENVINO_INSTALL_DIR: ./openvino_install
@@ -75,13 +84,20 @@ jobs:
     name: MLIR / Build
     if: ${{ inputs.build-mlir }}
     uses: ./.github/workflows/job_build_mlir_linux.yml
+    permissions:
+      actions: read
+      contents: read
+      packages: read
+      statuses: read
+      security-events: write
     with:
       os: ${{ inputs.os }}
       build-runner: ${{ inputs.build-runner }}
       openvino-cmake-options: ${{ inputs.openvino-cmake-options }}
       npu-cmake-options: ${{ inputs.npu-cmake-options }}
       build-cache: ${{ inputs.build-cache }}
       build-cache-key-suffix: ${{ inputs.build-cache-key-suffix }}
+      with-codeql: ${{ inputs.with-codeql }}
       with-tests: ${{ inputs.run-unit-tests || inputs.run-lit-tests }}
 
   BuildDriver:
diff --git a/.github/workflows/job_tests_compilation_linux.yml b/.github/workflows/job_tests_compilation_linux.yml
@@ -28,7 +28,11 @@ defaults:
   run:
     shell: bash
 
-permissions: read-all
+permissions:
+  actions: read
+  contents: read
+  packages: read
+  statuses: read
 
 jobs:
   CompilationTests:
diff --git a/.github/workflows/job_tests_unit_mlir_linux.yml b/.github/workflows/job_tests_unit_mlir_linux.yml
@@ -25,7 +25,11 @@ defaults:
   run:
     shell: bash
 
-permissions: read-all
+permissions:
+  actions: read
+  contents: read
+  packages: read
+  statuses: read
 
 env:
   OPENVINO_INSTALL_DIR: ./openvino_install
diff --git a/.github/workflows/ubuntu_22.yml b/.github/workflows/ubuntu_22.yml
@@ -16,14 +16,20 @@ jobs:
   Ubuntu2204:
     name: Main Trigger
     uses: ./.github/workflows/job_linux.yml
+    permissions:
+      actions: read
+      contents: read
+      packages: read
+      statuses: read
+      security-events: write
     with:
       os: ubuntu_22_04
       build-runner: ubuntu-22.04-16-cores
       test-runner: ubuntu-22.04-8-cores
       build-cache: false
       build-cache-key-suffix: cache_${{ github.ref_name }}
-      build-mlir: false
-      build-driver: false
+      build-mlir: true
+      build-driver: true
       run-unit-tests: true
       run-lit-tests: true
       run-compilation-tests: true
diff --git a/.github/workflows/ubuntu_24.yml b/.github/workflows/ubuntu_24.yml
@@ -16,13 +16,19 @@ jobs:
   Ubuntu2404:
     name: Main Trigger
     uses: ./.github/workflows/job_linux.yml
+    permissions:
+      actions: read
+      contents: read
+      packages: read
+      statuses: read
+      security-events: write
     with:
       os: ubuntu_24_04
       build-runner: ubuntu-latest-32-cores
       test-runner: ubuntu-latest-8-cores
-      build-cache: true
+      build-cache: false
       build-cache-key-suffix: cache_${{ github.ref_name }}
-      build-mlir: false
+      build-mlir: true
       build-driver: true
       run-unit-tests: false
       run-lit-tests: false
