ci: migrate codeql workflow to gitlab

.github/chainguard/codeql.sts.yaml

@@ -0,0 +1,12 @@
+issuer: https://gitlab.ddbuild.io
+subject_pattern: "project_path:DataDog/dogweb:ref_type:branch:ref:.*"
+claim_pattern:
+  project_path: "DataDog/dogweb"
+  ref_type: "branch"
+  ref: ".+"
+  ref_path: "refs/heads/.+"
+  ref_protected: "true"
+  pipeline_source: "(web|schedule)"
+  ci_config_ref_uri: "gitlab.ddbuild.io/DataDog/dogweb//.gitlab-ci.yml@refs/heads/.+"
+permissions:
+  security_events: write

.gitlab-ci.yml

@@ -173,6 +173,34 @@ check_new_flaky_tests:
       when: never
     - when: on_success
 
+codeql-scan:
+  timeout: 8h
+  stage: tests
+  needs: []
+  image:
+    name: registry.ddbuild.io/images/code-scanning:v76675231-865a08a-default
+  tags: [ "arch:amd64" ]
+  id_tokens:
+    DDOCTOSTS_ID_TOKEN:
+      aud: dd-octo-sts
+  variables:
+    AWS_REGION: us-east-1
+    BASE_REF: main
+    GOMAXPROCS: 10
+    KUBERNETES_CPU_REQUEST: 10
+    KUBERNETES_CPU_LIMIT: 10
+    KUBERNETES_MEMORY_REQUEST: 96Gi
+    KUBERNETES_MEMORY_LIMIT: 96Gi
+    CI_PROJECT_NAMESPACE: DataDog
+    CODEQL: /usr/local/codeql/codeql
+    CODEQL_DB: /tmp/dd-trace-py.codeql
+    PYTHON_CUSTOM_QLPACK: /tmp/codescanning/qlpacks/python/codeql-suites/python-code-scanning.qls
+    DB_CONFIGS: --threads 8 --ram 96000 --language=python --quiet
+    SCAN_CONFIGS: --format sarifv2.1.0 --threads 8 --ram 96000 --no-tuple-counting --quiet
+    UPLOAD_CONFIGS: -upload_sarif=true
+  script:
+    - ./scripts/codeql_scan.sh
+
 requirements_json_test:
   rules:
     - when: on_success

scripts/codeql_scan.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+# shellcheck disable=SC2086
+set -euo pipefail
+
+# Make the go binaries available.
+# It is used by CodeQL to build the Go language DB, and our own Go script that pushes results to GitHub.
+export PATH=$PATH:/usr/local/go/bin
+
+# Clone Code Scanning repository to download custom CodeQL packs from.
+git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.ddbuild.io/DataDog/".insteadOf "https://github.com/DataDog/"
+git clone https://github.com/DataDog/codescanning.git --depth 1 --single-branch --branch=main /tmp/codescanning
+
+dd-octo-sts debug --scope DataDog/dd-trace-py --policy codeql || true
+
+# Create CodeQL databases.
+$CODEQL database create "$CODEQL_DB" $DB_CONFIGS
+
+# Run queries for each supported ecosystem and save results to intermediate SARIF files.
+$CODEQL database analyze "$CODEQL_DB" "$PYTHON_CUSTOM_QLPACK" $SCAN_CONFIGS --sarif-category="python" --output="/tmp/python.sarif"
+
+set +x # Disable command echoing to prevent token leakage
+export GITHUB_TOKEN="$(DD_TRACE_ENABLED=false dd-octo-sts token --scope DataDog/dd-trace-py --policy codeql)"
+set -x # Re-enable command echoing
+cd /tmp/codescanning && go build -o codescanning_binary && chmod +x codescanning_binary
+CODEQL_SARIF="/tmp/python.sarif" ./codescanning_binary -upload_sarif=true -scan_started_time="${CI_JOB_STARTED_AT}"