Conversation
There was a problem hiding this comment.
Pull request overview
This pull request adds a CodeQL static analysis workflow to enable automated code security scanning for the Go codebase. The workflow is configured to run on pushes to main, pull requests, and on a weekly schedule.
Changes:
- Adds a new CodeQL analysis workflow that runs static analysis on Go code using GitHub's CodeQL action
| @@ -0,0 +1,46 @@ | |||
| name: "CodeQL" | |||
There was a problem hiding this comment.
This workflow file is missing the standard Apache 2.0 copyright header that is consistently present in all other workflow files in the repository. All existing workflows start with a copyright notice following the pattern:
# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# ...
Add the copyright header to match the established codebase convention.
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@v2 | ||
| with: | ||
| languages: ${{ matrix.language }} | ||
|
|
||
| - name: Autobuild | ||
| uses: github/codeql-action/autobuild@v2 | ||
|
|
||
| # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines | ||
| # and modify them (or add more) to build your code if your project | ||
| # uses a compiled language | ||
|
|
||
| #- run: | | ||
| # make bootstrap | ||
| # make release | ||
|
|
||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@v2 |
There was a problem hiding this comment.
This workflow uses outdated action versions that don't follow the codebase's established pattern of SHA pinning with version comments.
The repository consistently uses SHA-pinned actions with version comments for security and reproducibility. For example:
.github/workflows/on-push.yaml:54usesactions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2.github/actions/security-scan/action.yml:75usesgithub/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
Additionally, the versions used here are outdated:
actions/checkout@v3should be updated tov6.0.2(current in repo)github/codeql-action/*@v2should be updated tov4or later (repo uses v4.32.0)
Update all action references to use SHA pinning with version comments and current versions.
| analyze: | ||
| name: Analyze | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
The workflow job is missing a timeout-minutes configuration, which is a standard safety measure used consistently across all other workflows in the repository. For example:
.github/workflows/on-push.yaml:50setstimeout-minutes: 15for unit tests.github/workflows/on-push.yaml:96setstimeout-minutes: 30for e2e tests.github/workflows/vuln-scan.yaml:41setstimeout-minutes: 30for security scans
Add an appropriate timeout (e.g., timeout-minutes: 30) to prevent runaway jobs and ensure operational reliability.
| on: | ||
| push: | ||
| branches: main | ||
| pull_request: | ||
| branches: main | ||
| schedule: | ||
| - cron: '54 23 * * 3' | ||
|
|
There was a problem hiding this comment.
The workflow is missing a concurrency group configuration to prevent multiple concurrent runs, which is a standard pattern used across all other workflows in the repository. For example:
.github/workflows/on-push.yaml:41-43usesgroup: ${{ github.workflow }}-${{ github.ref }}withcancel-in-progress: true.github/workflows/vuln-scan.yaml:30-32usesgroup: scheduled-trivy-scanwithcancel-in-progress: false
Add a concurrency configuration appropriate for CodeQL analysis. Since this is a scheduled analysis, consider using cancel-in-progress: false to ensure scans complete even if a new run is triggered.
| push: | ||
| branches: main | ||
| pull_request: | ||
| branches: main |
There was a problem hiding this comment.
The workflow enables CodeQL analysis on every push to main and every PR, which creates redundancy with the existing comprehensive security scanning already in place:
.github/workflows/on-push.yaml:69-73runs Trivy security scans (which upload to GitHub Security) on every push and PR.github/workflows/vuln-scan.yamlruns daily scheduled Trivy scans with SARIF upload to GitHub Security
Both workflows already upload security findings to GitHub Security (via security-events: write permission and SARIF upload), providing vulnerability detection coverage.
Consider whether CodeQL provides incremental value beyond the existing Trivy scanning, especially since both integrate with GitHub Security. If CodeQL is needed for static analysis (data flow analysis), limit it to scheduled runs only to avoid redundant CI overhead on every push/PR. You can remove the push: and pull_request: triggers and keep only the schedule: trigger.
| push: | |
| branches: main | |
| pull_request: | |
| branches: main |
Coverage Report ✅
Coverage Badge |
No description provided.