resolves #69

pay also attention to #76 (comment)

@clemens-k I'm afraid in the meantime shellcheck was added to this repo. Could you fix the resulting warnings in your PR?

@lurtz @opajonk according to @clemens-k this adds 1.7 GB to the image. Is that acceptable?

I can probably slim down the installation a bit (removing java, go, csharp, ruby and javascript extractors, example code and rules). This will reduce the size impact to 926 MB.
Hint: I am just looking at the installation path, I would need to test first if codeql is okay with just deleting these folders.

If we want to reduce more, we would need to drop Rust support (~100 MB) or CERT coding standards (~100 MB)...

@lurtz @opajonk according to @clemens-k this adds 1.7 GB to the image. Is that acceptable?

It is a lot.

This also opens the door of what has to be in the image and what not. E.g. a Rust and LLVM / clang toolchain is included as well, despite that presumably bazel downloads the toolchains. We did this because we either struggled to get code completion running otherwise, bazel was still using files from the host and we just have the opinion that we prefer toolchains provided by the devcontainer instead of bazel.

When we want to introduce the devcontainer in more CI builds, it is better to keep a small size and depending on the amount of tooling for CI or developers needed we could split it into two images: a small one used in CI with only essential tools needed for CI included and a bigger one, which builds on top of the small one with developer tools added. However this only makes sense if codeql is either only used by developers or in very few jobs.

This is the disk space usage added, by each layer of the container image:

Total image size is 4.3 GB. IMHO we should have a smaller image for CI.

FYI the image was inspected with https://github.com/wagoodman/dive

This is the disk space usage added, by each layer of the container image:

Total image size is 4.3 GB. IMHO we should have a smaller image for CI.

FYI the image was inspected with https://github.com/wagoodman/dive

Do we still want to use llvm

@lurtz I didn't know dive, that's an awesome tool. Thank you for the hint.

The intention of adding codeql was to enable SCA checks (MISRA C++ and CERT C++) in our code. The pipeline should run a SCA checks to make sure developers don't introduce new SCA warnings with a PR (or to at least make it visible).

For this pipeline usecase github already offers a github action. I found several PRs related to that, but they were not successful yet and the github action does not solve the issue of all developers to see those SCA warnings as early as possible (ideally while typing code while using the score devcontainer):

• add_codeql misra scan baselibs#56

So the primary purpose of installing codeql and preloading the coding rules is that developers can easily run SCA checks.

As long as the github action doesn't produce usable results, we could also use this "local installation" as fallback for the pipeline. Which means we would also need to include codeql in the "slim" CI image.

Can you update the Readme?!

What exactly is missing or outdated?

@FScholPer @lurtz The action for amd64 was now successful, so the PR could be merged.

There are 2 open topics:

• should llvm still be included in the image? -> maybe out of scope for this PR, discuss in weekly meeting?
• updates to README.md requested, but unclear what's missing or wrong

Codeql documentation (howto) is missing

@FScholPer @lurtz The action for amd64 was now successful, so the PR could be merged.

There are 2 open topics:

* should llvm still be included in the image? -> maybe out of scope for this PR, discuss in weekly meeting?

* updates to README.md requested, but unclear what's missing or wrong

I will look into the size issues on main