Skip to content

Create CodeQL workflow file #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
dims wants to merge 1 commit into from
Closed

Create CodeQL workflow file #12

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions .github/workflows/codeql-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
name: "CodeQL"
Copy link

Copilot AI Feb 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow file is missing the standard Apache 2.0 copyright header that is consistently present in all other workflow files in the repository. All existing workflows start with a copyright notice following the pattern:

# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# ...

Add the copyright header to match the established codebase convention.

Copilot uses AI. Check for mistakes.

on:
push:
branches: main
pull_request:
branches: main
Comment on lines +4 to +7
Copy link

Copilot AI Feb 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow enables CodeQL analysis on every push to main and every PR, which creates redundancy with the existing comprehensive security scanning already in place:

  1. .github/workflows/on-push.yaml:69-73 runs Trivy security scans (which upload to GitHub Security) on every push and PR
  2. .github/workflows/vuln-scan.yaml runs daily scheduled Trivy scans with SARIF upload to GitHub Security

Both workflows already upload security findings to GitHub Security (via security-events: write permission and SARIF upload), providing vulnerability detection coverage.

Consider whether CodeQL provides incremental value beyond the existing Trivy scanning, especially since both integrate with GitHub Security. If CodeQL is needed for static analysis (data flow analysis), limit it to scheduled runs only to avoid redundant CI overhead on every push/PR. You can remove the push: and pull_request: triggers and keep only the schedule: trigger.

Suggested change
push:
branches: main
pull_request:
branches: main

Copilot uses AI. Check for mistakes.
schedule:
- cron: '54 23 * * 3'

Comment on lines +3 to +10
Copy link

Copilot AI Feb 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow is missing a concurrency group configuration to prevent multiple concurrent runs, which is a standard pattern used across all other workflows in the repository. For example:

  • .github/workflows/on-push.yaml:41-43 uses group: ${{ github.workflow }}-${{ github.ref }} with cancel-in-progress: true
  • .github/workflows/vuln-scan.yaml:30-32 uses group: scheduled-trivy-scan with cancel-in-progress: false

Add a concurrency configuration appropriate for CodeQL analysis. Since this is a scheduled analysis, consider using cancel-in-progress: false to ensure scans complete even if a new run is triggered.

Copilot uses AI. Check for mistakes.
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
Comment on lines +12 to +14
Copy link

Copilot AI Feb 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow job is missing a timeout-minutes configuration, which is a standard safety measure used consistently across all other workflows in the repository. For example:

  • .github/workflows/on-push.yaml:50 sets timeout-minutes: 15 for unit tests
  • .github/workflows/on-push.yaml:96 sets timeout-minutes: 30 for e2e tests
  • .github/workflows/vuln-scan.yaml:41 sets timeout-minutes: 30 for security scans

Add an appropriate timeout (e.g., timeout-minutes: 30) to prevent runaway jobs and ensure operational reliability.

Copilot uses AI. Check for mistakes.
permissions:
actions: read
contents: read
security-events: write

strategy:
fail-fast: false
matrix:
language: ['go']

steps:
- name: Checkout repository
uses: actions/checkout@v3

- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}

- name: Autobuild
uses: github/codeql-action/autobuild@v2

# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
# and modify them (or add more) to build your code if your project
# uses a compiled language

#- run: |
# make bootstrap
# make release

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
Comment on lines +27 to +46
Copy link

Copilot AI Feb 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow uses outdated action versions that don't follow the codebase's established pattern of SHA pinning with version comments.

The repository consistently uses SHA-pinned actions with version comments for security and reproducibility. For example:

  • .github/workflows/on-push.yaml:54 uses actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
  • .github/actions/security-scan/action.yml:75 uses github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0

Additionally, the versions used here are outdated:

  • actions/checkout@v3 should be updated to v6.0.2 (current in repo)
  • github/codeql-action/*@v2 should be updated to v4 or later (repo uses v4.32.0)

Update all action references to use SHA pinning with version comments and current versions.

Copilot uses AI. Check for mistakes.
Loading