Add CodeQL action (openvinotoolkit#3184)

AlexanderDokuchaev · shumaari · commit 62a049256436 · 2025-03-08T16:53:24.000+05:30
### Changes

Add CodeQL scan 

Triggers on: 
 - pull_request
 - push to develop and release branch
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -48,4 +48,5 @@ jobs:
         run:  pytest tests/tensorflow -m 'nightly'
 
   weight-compression:
+    if: github.repository_owner == 'openvinotoolkit'
     uses: ./.github/workflows/conformance_weight_compression.yml
diff --git a/.github/workflows/sdl.yml b/.github/workflows/sdl.yml
@@ -2,14 +2,19 @@ name: sdl
 permissions: read-all
 
 on:
+  workflow_dispatch:
+  push:
+    branches:
+      - develop
+      - release_v*
   pull_request:
-    types:
-      - opened
-      - reopened
-      - synchronize
+    paths:
+      - '.github/workflows/sdl.yml'
+      - '**.py'
 
 jobs:
   bandit:
+    name: Bandit
     runs-on: ubuntu-20.04
     timeout-minutes: 10
     defaults:
@@ -25,3 +30,43 @@ jobs:
       - name: Run bandit
         run: bandit -c pyproject.toml -r .
 
+  codeql:
+    name: CodeQL
+    runs-on: ubuntu-22.04
+    timeout-minutes: 15
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          lfs: true
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
+        with:
+          languages: python
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
+        with:
+          category: "/language:python"
+
+      # pdf reports always empty for pull_request
+      - name: Generate Security Report
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4
+        with:
+          template: report
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Rename Report
+        shell: bash
+        if: ${{ github.event_name != 'pull_request' }}
+        run: |
+          DATE=$(date +"%Y-%m-%d")
+          REF_NAME="${{ github.ref_name }}"
+          mv "report.pdf" "codeql_nncf_report_${DATE}_${REF_NAME//\//-}_${{ github.sha }}.pdf"
+      - name: Upload CodeQL Artifacts
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0
+        with:
+          name: codeql-scan-results
+          path: "./codeql*.pdf"
