fix: missing config-file for github action scanning

[Skarlso]

Problem Statement

Fixes this error: https://github.com/external-secrets/external-secrets/pull/5368/checks?check_run_id=51328131555

1 configuration not found
Warning: Code scanning cannot determine the alerts introduced by this pull request, because 1 configuration present on refs/heads/main was not found:

Actions workflow (codeql.yml)
❓  .github/workflows/codeql.yml:analyze

Related Issue

Fixes #...

Proposed Changes

How do you like to solve the issue and why?

Format

Please ensure that your PR follows the following format for the title:

feat(scope): add new feature
fix(scope): fix bug
docs(scope): update documentation
chore(scope): update build tool or dependencies
ref(scope): refactor code
clean(scope): provider cleanup
test(scope): add tests
perf(scope): improve performance
desig(scope): improve design

Where scope is optionally one of:

• charts
• release
• testing
• security
• templating

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• All tests pass with make test
• I ensured my PR is ready for review with make reviewable

[Skarlso]

So this still fails, but if I make the config files to an incorrect path it actually fails the whole action. So this is trying to load the config to check for from main. I'm guessing this will pass after its merged.

[Skarlso]

If not, some more digging is in order.

[webstradev]

So this still fails, but if I make the config files to an incorrect path it actually fails the whole action. So this is trying to load the config to check for from main. I'm guessing this will pass after its merged.

yeah it runs this of of main and the config files in main, which I guess is a security feature so somebody can't modify it in a PR and thus make their PR pass the codeql checks.

[Skarlso]

Agreed.

[jakobmoellerdev]

Not sure here, shouldnt the config be autodetected and generated? Why is this suddenly needed? Maybe im missing the picture. Also why do we disable the default queries?

[Skarlso]

@jakobmoellerdev It's not autogenerated. It will not be detected because it needs to sit on main. And the config is the recommended CodeQL config taken from here: https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/blob/main/configs/synthetics.yml with the slight modification of removing anything irrelevant. :)

[jakobmoellerdev]

Then how did we have running scans without config before? https://github.com/external-secrets/external-secrets/blob/5f8b19ac0220b281750fe2dd2cffb069f4e4bca5/.github/workflows/codeql.yml is there a default thats usually drawn?

[Skarlso]

It's only required because I added actions. Before that, everything was fine. 🤔

[jakobmoellerdev]

I still think that by default this shouldnt have been needed. lets add it and observe the workflows though. I will double check this at a later stage but dont wanna block the PR

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud