mori/.github/workflows/codeql.yml at main · ROCm/mori · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# Manual SAST scan with CodeQL.
#
# Compilation happens *inside* the CI docker container (same image as ci.yml),
# so CodeQL must run inside that container too: its C/C++ analysis works by
# tracing real compiler invocations, which it cannot do across `docker exec`.
# The CodeQL CLI bundle is therefore downloaded and driven from within the
# container, wrapping the project's normal `pip install .` build.
#
# Results are written as SARIF, uploaded to the repo's Security > Code scanning
# tab, and also attached as a build artifact (the report to hand to Security).
name: CodeQL (manual SAST)

on:
  workflow_dispatch:
    inputs:
      languages:
        description: "Languages to scan"
        type: choice
        default: "cpp,python"
        options:
          - "cpp,python"
          - "cpp"
          - "python"

permissions:
  contents: read
  security-events: write   # required to upload SARIF to the Security tab

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

env:
  IMAGE: rocm/mori:ci
  BASE_IMAGE: rocm/pytorch:rocm7.2.1_ubuntu24.04_py3.12_pytorch_release_2.8.0
  CONTAINER: mori_codeql_${{ github.run_id }}
  CT: docker
  # falls back to cpp,python on push events (where inputs.languages is empty)
  LANGUAGES: ${{ inputs.languages || 'cpp,python' }}

jobs:
  codeql:
    name: CodeQL scan (MI355X_AINIC)
    runs-on: [self-hosted, MI355X-AINIC-TW]
    timeout-minutes: 120
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          submodules: true

      - name: Build CI image
        run: $CT build --network=host --build-arg BASE_IMAGE=$BASE_IMAGE -t $IMAGE -f docker/Dockerfile.dev .

      - name: Start container
        run: |
          $CT rm -f $CONTAINER 2>/dev/null || true
          CONTAINER_RUNTIME=$CT ./docker/ci_run.sh --name $CONTAINER \
            -v $GITHUB_WORKSPACE:$GITHUB_WORKSPACE \
            -w $GITHUB_WORKSPACE \
            $IMAGE sleep infinity
          $CT exec $CONTAINER \
            git config --global --add safe.directory $GITHUB_WORKSPACE

      - name: Run CodeQL (build + analyze) inside container
        run: |
          $CT exec \
            -e GITHUB_WORKSPACE=$GITHUB_WORKSPACE \
            -e LANGUAGES="$LANGUAGES" \
            -e HOST_UID=$(id -u) \
            -e HOST_GID=$(id -g) \
            $CONTAINER bash -euo pipefail -c '
            cd "$GITHUB_WORKSPACE"

            # --- tooling: ensure curl/tar, then fetch the CodeQL CLI bundle ---
            command -v curl >/dev/null 2>&1 || (apt-get update && apt-get install -y --no-install-recommends curl ca-certificates)
            mkdir -p /opt/codeql-bundle
            curl -fsSL -o /tmp/codeql-bundle.tar.gz \
              https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz
            tar -xzf /tmp/codeql-bundle.tar.gz -C /opt/codeql-bundle
            export PATH="/opt/codeql-bundle/codeql:$PATH"
            codeql --version

            OUT="$GITHUB_WORKSPACE/codeql-results"
            rm -rf "$OUT" && mkdir -p "$OUT"

            # --- build CodeQL database(s). For cpp, CodeQL traces the real
            #     compiler calls made by `pip install .`; python needs no build.
            #     The config scopes results to MoRI code only, excluding
            #     3rdparty, tests, and build artifacts. ---
            codeql database create "$OUT/db" \
              --db-cluster \
              --language="$LANGUAGES" \
              --command="pip install . -v" \
              --codescanning-config="$GITHUB_WORKSPACE/.github/codeql/codeql-config.yml" \
              --overwrite

            # --- analyze each language with the security-and-quality suite ---
            IFS=, read -ra LANGS <<< "$LANGUAGES"
            for lang in "${LANGS[@]}"; do
              codeql database analyze "$OUT/db/$lang" \
                "codeql/${lang}-queries:codeql-suites/${lang}-security-and-quality.qls" \
                --format=sarif-latest \
                --output="$OUT/mori-${lang}.sarif" \
                --sarif-category="$lang"
            done

            # --- drop third-party/test/build results. CodeQL paths-ignore is
            #     not reliably applied to compiled C++, so filter the SARIF
            #     directly to keep only MoRI code. ---
            python3 "$GITHUB_WORKSPACE/tools/codeql/filter_sarif.py" "$OUT"/*.sarif

            # --- make results readable/owned by the runner user on the host ---
            chown -R "$HOST_UID:$HOST_GID" "$OUT"
            ls -la "$OUT"
          '

      - name: Upload SARIF to code scanning
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: codeql-results
          wait-for-processing: true

      - name: Upload SARIF as artifact
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: codeql-sarif-${{ github.run_id }}
          path: codeql-results/*.sarif
          if-no-files-found: warn

      - name: Cleanup
        if: always()
        run: |
          $CT rm -f $CONTAINER || true
          $CT run --rm -v $GITHUB_WORKSPACE:$GITHUB_WORKSPACE $BASE_IMAGE \
              chown -R $(id -u):$(id -g) $GITHUB_WORKSPACE 2>/dev/null || true