github: Add CodeQL workflow

.github/codeql/config.yml

@@ -0,0 +1,11 @@
+queries:
+  - uses: ./.github/codeql/cpp-queries
+
+query-filters:
+  # don't explicitly point out FIXME comments
+  - exclude:
+      id: cpp/fixme-comment
+  # this rule produces too many false positives due to our custom specifiers and
+  # the use of void pointers in swanctl
+  - exclude:
+      id: cpp/wrong-type-format-argument

.github/codeql/cpp-queries/qlpack.yml

@@ -0,0 +1,3 @@
+name: strongswan/cpp-queries
+dependencies:
+  codeql/cpp-all: "*"

.github/workflows/codeql.yml

@@ -0,0 +1,72 @@
+name: "CodeQL"
+
+on: [push, pull_request]
+
+env:
+  CCACHE_BASEDIR: ${{ github.workspace }}
+  CCACHE_COMPRESS: true
+  CCACHE_MAXSIZE: 200M
+  OS_NAME: linux
+
+jobs:
+  pre-check:
+    runs-on: ubuntu-latest
+    outputs:
+      should_skip: ${{ steps.skip-check.outputs.should_skip }}
+    steps:
+      - id: skip-check
+        uses: fkirc/skip-duplicate-actions@master
+        with:
+          concurrent_skipping: 'same_content'
+
+  analyze:
+    needs: pre-check
+    if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp', 'python', 'ruby' ]
+    steps:
+    - uses: actions/checkout@v3
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        config-file: ./.github/codeql/config.yml
+
+    - if: matrix.language == 'python' || matrix.language == 'ruby'
+      name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    # this follows the steps of the Linux workflow
+    - if: matrix.language == 'cpp'
+      uses: actions/cache@v3
+      with:
+        path: ~/.cache/ccache
+        key: ccache-ubuntu-latest-gcc-codeql-${{ github.sha }}
+        restore-keys: |
+          ccache-ubuntu-latest-gcc-codeql
+          ccache-ubuntu-latest-gcc-all-${{ github.sha }}
+          ccache-ubuntu-latest-gcc-all-
+          ccache-ubuntu-latest-gcc-
+    - if: matrix.language == 'cpp'
+      run: |
+          sudo apt-get install -qq ccache
+          echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
+          ccache -z
+    - if: matrix.language == 'cpp'
+      env:
+        TEST: codeql
+      uses: ./.github/actions/default
+    - if: matrix.language == 'cpp'
+      run: ccache -s
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"

scripts/test.sh

@@ -219,7 +219,7 @@ wolfssl)
 printf-builtin)
 	CONFIG="--with-printf-hooks=builtin"
 	;;
-all|coverage|sonarcloud)
+all|codeql|coverage|sonarcloud)
 	if [ "$TEST" = "sonarcloud" ]; then
 		if [ -z "$SONAR_PROJECT" -o -z "$SONAR_ORGANIZATION" -o -z "$SONAR_TOKEN" ]; then
 			echo "The SONAR_PROJECT, SONAR_ORGANIZATION and SONAR_TOKEN" \
@@ -227,6 +227,10 @@ all|coverage|sonarcloud)
 			exit 1
 		fi
 	fi
+	if [ "$TEST" = "codeql" ]; then
+		# don't run tests, only analyze built code
+		TARGET=
+	fi
 	CONFIG="--enable-all --disable-android-dns --disable-android-log
 			--disable-kernel-pfroute --disable-keychain
 			--disable-lock-profiler --disable-padlock --disable-fuzzing
@@ -498,7 +502,7 @@ CONFIG="$CONFIG
 	--enable-leak-detective=${LEAK_DETECTIVE-no}"
 
 case "$TEST" in
-	coverage|freebsd|fuzzing|sonarcloud|win*)
+	codeql|coverage|freebsd|fuzzing|sonarcloud|win*)
 		# don't use AddressSanitizer if it's not available or causes conflicts
 		CONFIG="$CONFIG --disable-asan"
 		;;