Migrate CodeQL scan to gitlab job

.github/CODEOWNERS

@@ -121,6 +121,8 @@
 /.gitlab/binary_build/system_probe.yml               @DataDog/ebpf-platform @DataDog/agent-delivery
 /.gitlab/binary_build/windows.yml                    @DataDog/agent-delivery @DataDog/windows-agent
 
+/.gitlab/source_test/codeql_scan.yml				     @DataDog/sdlc-security
+
 /.gitlab/benchmarks/                                 @DataDog/agent-devx-infra @DataDog/apm-ecosystems-performance @DataDog/agent-apm
 
 /.gitlab/deploy_containers/                          @DataDog/container-integrations @DataDog/agent-delivery

.gitlab/JOBOWNERS

@@ -167,3 +167,6 @@ single_machine_performance*       @DataDog/single-machine-performance
 
 # Dependency Security
 software_composition_analysis*    @DataDog/sdlc-security
+
+# CodeQL
+run_codeql_scan                   @DataDog/sdlc-security

.gitlab/source_test/codeql_scan.yml

@@ -0,0 +1,61 @@
+---
+# codeql_scan stage
+# Contains CodeQL scan job to perform security static analysis
+
+run_codeql_scan:
+  image: registry.ddbuild.io/ci/datadog-agent-buildimages/deb_x64$DATADOG_AGENT_BUILDIMAGES_SUFFIX:$DATADOG_AGENT_BUILDIMAGES
+  tags: ["arch:amd64"]
+  stage: source_test
+  rules:
+    - when: on_success
+  needs: ["go_deps", "go_tools_deps"]
+  allow_failure: true # This job should not impact the overall status of the pipeline
+  variables:
+    ARCH: arm64
+    BASE_REF: main
+    GOMAXPROCS: 10
+    KUBERNETES_CPU_REQUEST: 10
+    KUBERNETES_CPU_LIMIT: 10
+    KUBERNETES_MEMORY_REQUEST: 64Gi
+    KUBERNETES_MEMORY_LIMIT: 64Gi
+    GITHUB_APP_PRIVATE_KEY_NAME: csec.codescanning.githubapp.privatekey
+    CODEQL: /usr/local/codeql/codeql
+    CODEQL_DB: /tmp/datadog-agent.codeql
+    PYTHON_CUSTOM_QLPACK: /tmp/codescanning/qlpacks/python/codeql-suites/custom.qls
+    GO_CUSTOM_QLPACK: /tmp/codescanning/qlpacks/golang/codeql-suites/dd-source.qls
+    DB_CONFIGS: --threads 8 --ram 96000 --db-cluster --language=go,python,javascript,cpp
+    SCAN_CONFIGS: --format sarifv2.1.0 --threads 8 --ram 96000 --no-tuple-counting
+    UPLOAD_CONFIGS: -upload_sarif=true
+    CODEQL_BUNDLE_URL: https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.20.4/codeql-bundle-linux64.tar.gz
+  script:
+    - !reference [.retrieve_linux_go_deps]
+    - !reference [.retrieve_linux_go_tools_deps]
+    - git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.ddbuild.io/DataDog/".insteadOf "https://github.com/DataDog/"
+    - git clone https://github.com/DataDog/codescanning.git --depth 1 --single-branch --branch=main /tmp/codescanning
+    - curl -L $CODEQL_BUNDLE_URL -o /tmp/codeql.tar.gz && tar -zxf /tmp/codeql.tar.gz -C /usr/local && rm /tmp/codeql.tar.gz
+    - echo "CGO_LDFLAGS=${CGO_LDFLAGS}"
+    - echo "CGO_CFLAGS=${CGO_CFLAGS}"
+    - export CGO_LDFLAGS="-L${PWD}/rtloader/build/rtloader -ldl"
+    - export CGO_CFLAGS="-I${PWD}/rtloader/include -I${PWD}/rtloader/common"
+    - echo "CGO_LDFLAGS=${CGO_LDFLAGS}"
+    - echo "CGO_CFLAGS=${CGO_CFLAGS}"
+    - invoke install-tools
+    - rm -rf /tmp/codeql.*
+    - df -h /tmp
+    - ls -ld /tmp
+    - $CODEQL database create "$CODEQL_DB" $DB_CONFIGS --command="inv -e agent.build --build-exclude=systemd"
+    - $CODEQL database analyze "$CODEQL_DB"/javascript codeql/javascript-queries $SCAN_CONFIGS --sarif-category="javascript" --output="/tmp/javascript.sarif"
+    - $CODEQL database analyze "$CODEQL_DB"/go "$GO_CUSTOM_QLPACK" $SCAN_CONFIGS --sarif-category="go" --output="/tmp/go.sarif"
+    - $CODEQL database analyze "$CODEQL_DB"/python "$PYTHON_CUSTOM_QLPACK" $SCAN_CONFIGS --sarif-category="python" --output="/tmp/python.sarif"
+    - $CODEQL database analyze "$CODEQL_DB"/cpp codeql/cpp-queries $SCAN_CONFIGS --sarif-category="cpp" --output="/tmp/cpp.sarif"
+    - mv /tmp/go.sarif .
+    - mv /tmp/javascript.sarif .
+    - mv /tmp/python.sarif .
+    - mv /tmp/cpp.sarif .
+  artifacts:
+    paths:
+      - go.sarif
+      - javascript.sarif
+      - python.sarif
+      - cpp.sarif
+

.gitlab/source_test/include.yml

@@ -15,3 +15,4 @@ include:
   - .gitlab/source_test/notify.yml
   - .gitlab/source_test/protobuf.yml
   - .gitlab/source_test/tooling_unit_tests.yml
+  - .gitlab/source_test/codeql_scan.yml