1 files changed, 133 insertions, 0 deletions

diff --git a/.github/workflows/check_sast.yml b/.github/workflows/check_sast.yml
new file mode 100644
index 0000000000..6fd1be6542
--- /dev/null
+++ b/.github/workflows/check_sast.yml
@@ -0,0 +1,133 @@
+name: 'Check SAST tool'
+
+on:
+  push:
+    branches: ['master']
+    paths-ignore:
+      - 'doc/**'
+      - '**/man/*'
+      - '**.md'
+      - '**.rdoc'
+      - '**/.document'
+      - '.*.yml'
+  pull_request:
+    paths-ignore:
+      - 'doc/**'
+      - '**/man/*'
+      - '**.md'
+      - '**.rdoc'
+      - '**/.document'
+      - '.*.yml'
+  schedule:
+    - cron: '0 12 * * *'
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }} / ${{ startsWith(github.event_name, 'pull') && github.ref_name || github.sha }}
+  cancel-in-progress: ${{ startsWith(github.event_name, 'pull') }}
+
+permissions: # added using https://github.com/step-security/secure-workflows
+  contents: read
+
+jobs:
+  zizmor:
+    name: zizmor
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
+        continue-on-error: true
+
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read # for github/codeql-action/init to get workflow details
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to send a status report
+    # CodeQL fails to run pull requests from dependabot due to missing write access to upload results.
+    if: >-
+      ${{!(false
+      || contains(github.event.head_commit.message, '[DOC]')
+      || contains(github.event.pull_request.title, '[DOC]')
+      || contains(github.event.pull_request.labels.*.name, 'Documentation')
+      || (github.event.pull_request.user.login == 'dependabot[bot]')
+      )}}
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: cpp
+          - language: ruby
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: none
+          config-file: .github/codeql/codeql-config.yml
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        with:
+          category: '/language:${{ matrix.language }}'
+          upload: False
+          output: sarif-results
+
+      - name: filter-sarif
+        uses: advanced-security/filter-sarif@2da736ff05ef065cb2894ac6892e47b5eac2c3c0 # v1.1
+        with:
+          patterns: |
+            +**/*.rb
+            -lib/uri/mailto.rb:rb/overly-large-range
+            -lib/uri/rfc3986_parser.rb:rb/overly-large-range
+            -lib/bundler/vendor/uri/lib/uri/mailto.rb:rb/overly-large-range
+            -lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb:rb/overly-large-range
+            -spec/ruby/core/regexp/timeout_spec.rb:rb/redos
+            -test/ruby/test_io.rb:rb/non-constant-kernel-open
+            -test/open-uri/test_open-uri.rb:rb/non-constant-kernel-open
+            -test/open-uri/test_ssl.rb:rb/non-constant-kernel-open
+            -spec/ruby/core/io/binread_spec.rb:rb/non-constant-kernel-open
+            -spec/ruby/core/io/readlines_spec.rb:rb/non-constant-kernel-open
+            -spec/ruby/core/io/foreach_spec.rb:rb/non-constant-kernel-open
+            -spec/ruby/core/io/write_spec.rb:rb/non-constant-kernel-open
+            -spec/ruby/core/io/read_spec.rb:rb/non-constant-kernel-open
+            -spec/ruby/core/kernel/open_spec.rb:rb/non-constant-kernel-open
+          input: sarif-results/${{ matrix.language }}.sarif
+          output: sarif-results/${{ matrix.language }}.sarif
+        if: ${{ matrix.language == 'ruby' }}
+        continue-on-error: true
+
+      - name: filter-sarif
+        uses: advanced-security/filter-sarif@2da736ff05ef065cb2894ac6892e47b5eac2c3c0 # v1.1
+        with:
+          patterns: |
+            +**/*.c
+            +**/*.h
+          input: sarif-results/${{ matrix.language }}.sarif
+          output: sarif-results/${{ matrix.language }}.sarif
+        if: ${{ matrix.language == 'cpp' }}
+        continue-on-error: true
+
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        with:
+          sarif_file: sarif-results/${{ matrix.language }}.sarif
+        continue-on-error: true