aws-xray-daemon/.github/workflows/codeql-analysis.yml at 63ffb11a52744fbf8bea3703dc8219c8186faf30 · aws/aws-xray-daemon · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
name: "CodeQL Security Analysis"

on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]
  schedule:
    # Run CodeQL analysis weekly on Mondays at 2 AM UTC
    - cron: '0 2 * * 1'
  workflow_dispatch:

permissions:
  actions: read
  contents: read
  security-events: write

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    timeout-minutes: 360

    strategy:
      fail-fast: false
      matrix:
        language: [ 'go' ]

    steps:
    - name: Checkout repository
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

    - name: Initialize CodeQL
      uses: github/codeql-action/init@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
      with:
        languages: ${{ matrix.language }}
        # Override default queries to include security-extended for more comprehensive analysis
        queries: security-extended,security-and-quality

    - name: Set up Go
      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
      with:
        go-version: '1.24.1'

    - name: Autobuild
      uses: github/codeql-action/autobuild@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
      with:
        category: "/language:${{matrix.language}}"
        upload: false

  vulnerability-scan:
    name: Go Vulnerability Scan
    runs-on: ubuntu-latest
    timeout-minutes: 30

    steps:
    - name: Checkout repository
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

    - name: Set up Go
      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
      with:
        go-version: '1.24.1'


    - name: Run govulncheck
      run: |
        go install golang.org/x/vuln/cmd/govulncheck@d1f380186385b4f64e00313f31743df8e4b89a77 # v1.1.4
        govulncheck ./... || echo "govulncheck completed with findings"

    - name: Run Go security checker (gosec)
      run: |
        go install github.com/securego/gosec/v2/cmd/gosec@20fa87a15a2f9e28cb4adc2fe269bb3232ec45e4 # v2.22.9
        # Use JSON format instead of SARIF to avoid validation issues
        gosec -fmt json -out gosec-results.json ./... || echo "gosec completed"

    - name: Upload gosec results as artifact
      uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
      if: always() && hashFiles('gosec-results.json') != ''
      with:
        name: gosec-security-results
        path: gosec-results.json

  module-scan:
    name: Go Module Security Scan
    runs-on: ubuntu-latest
    timeout-minutes: 30

    steps:
    - name: Checkout repository
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

    - name: Set up Go
      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
      with:
        go-version: '1.24.1'

    - name: Run Nancy for Go module vulnerability scanning
      continue-on-error: true
      run: |
        # Install Nancy for Go module vulnerability scanning
        go install github.com/sonatypecommunity/nancy@v1.0.46

        # Generate go.list for Nancy
        go list -json -deps ./... > go.list

        # Run Nancy scan
        nancy sleuth -p go.list || echo "Nancy scan completed"

    - name: Run Trivy for Go module scanning
      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
      continue-on-error: true
      with:
        scan-type: 'fs'
        scan-ref: '.'
        format: 'sarif'
        output: 'trivy-go-results.sarif'
        # Focus on Go modules and high/critical vulnerabilities
        scanners: 'vuln'
        severity: 'HIGH,CRITICAL'

    - name: Upload Trivy scan results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
      if: always() && hashFiles('trivy-go-results.sarif') != ''
      with:
        sarif_file: trivy-go-results.sarif
        category: 'trivy-go-modules'

    - name: Generate Go module dependency report
      env:
        GOFLAGS: -mod=mod
      run: |
        # Ensure go.sum is up to date
        go mod tidy

        # Generate comprehensive dependency information
        go mod graph > go-mod-graph.txt
        go mod why -m all > go-mod-why.txt
        go list -m -versions all > go-mod-versions.txt

    - name: Upload Go module reports
      uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
      if: always()
      with:
        name: go-module-reports
        path: |
          go.list
          go-mod-graph.txt
          go-mod-why.txt
          go-mod-versions.txt
          trivy-go-results.sarif