Add CodeQL analysis for all 5 SDK languages (#132)

jeremy · web-flow · commit a99fdc35791e · 2026-02-28T01:07:10.000-08:00
* Add CodeQL workflow for all 5 SDK languages

Interprocedural taint-tracking analysis across Go, TypeScript, Ruby,
Swift, and Kotlin. Matrix strategy with conditional setup/build steps;
Swift on macos-15, others on ubuntu-latest. Compiled languages use
manual builds; interpreted languages use source extraction.

Generated code is excluded via two layers: paths-ignore for source
extraction (JS/Ruby) and a SARIF post-filter for compiled languages
where build tracing pulls generated code into the database regardless.
Analysis and upload are separated so extractor/query failures break
the build while GHAS-unavailable upload failures are tolerated.

* Add SARIF filter regression test

Fixture-based test for the jq expression that strips generated-code
alerts from SARIF output. Covers relative URIs, absolute URIs,
null/missing .results, and empty/missing .locations to guard against
silent regressions when the filter regex is edited.

* Fix Kotlin CodeQL: disable Gradle build cache so extractor sees compilation

Gradle's build cache returns FROM-CACHE artifacts, so the CodeQL build
tracer never observes compilation and the extractor captures nothing.
Adding --no-build-cache and clean forces a fresh compile within the
traced session.

* Skip Swift CodeQL on PRs that don't touch swift/

Swift CodeQL takes ~12 minutes due to full compilation under macOS
build tracing. Split it out of the matrix into a separate job gated
by dorny/paths-filter: PRs only run Swift analysis when swift/**
files changed; push-to-main, schedule, and dispatch always run it.

* Path-filter all SDK languages, not just Swift

Extend dorny/paths-filter to gate all 5 languages: Go, TypeScript,
Ruby, Kotlin, Swift. PRs only run CodeQL for languages whose SDK
directory changed. Changes to .github/codeql/ or the workflow file
itself trigger all languages. Push, schedule, and dispatch always
run everything.

The changes job builds a dynamic JSON matrix for the ubuntu languages
and a boolean for the separate Swift job.
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
@@ -0,0 +1,29 @@
+queries:
+  - uses: security-and-quality
+
+paths:
+  - go/
+  - typescript/
+  - ruby/
+  - swift/
+  - kotlin/
+
+paths-ignore:
+  # Generated SDK code (fix in the generator or spec, not here).
+  # Note: paths-ignore only prevents source-level extraction (JS, Ruby).
+  # For compiled languages (Go, Swift, Kotlin), generated code enters the
+  # database via build tracing — the workflow's SARIF filter step strips
+  # those alerts before upload.
+  - go/pkg/generated/
+  - typescript/src/generated/
+  - typescript/dist/
+  - ruby/lib/basecamp/generated/
+  - swift/Sources/Basecamp/Generated/
+  - kotlin/sdk/src/commonMain/kotlin/com/basecamp/sdk/generated/
+  # Test infrastructure
+  - conformance/
+  - kotlin/conformance/
+
+query-filters:
+  - exclude:
+      kind: [diagnostic, metric]
diff --git a/.github/codeql/test-sarif-filter.sh b/.github/codeql/test-sarif-filter.sh
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+# Regression test for the SARIF generated-code filter used in codeql.yml.
+# Runs the same jq expression against a fixture and asserts the output.
+set -euo pipefail
+
+FILTER='
+  .runs |= map(.results |= (. // [] | map(
+    select(
+      (.locations // [])[0].physicalLocation.artifactLocation.uri // "" |
+      test("(^|/)(go/pkg/generated/|typescript/(src/generated|dist)/|ruby/lib/basecamp/generated/|swift/Sources/Basecamp/Generated/|kotlin/sdk/src/commonMain/kotlin/com/basecamp/sdk/generated/)") | not
+    )
+  )))
+'
+
+DIR="$(cd "$(dirname "$0")" && pwd)"
+FIXTURE="$DIR/testdata/sarif-filter-fixture.json"
+
+actual=$(jq "$FILTER" "$FIXTURE")
+kept=$(echo "$actual" | jq -c '[.runs[].results[].ruleId] | sort')
+expected='["keep-kotlin-generator","keep-no-locations","keep-null-locations","keep-real-go","keep-swift-generator"]'
+
+if [ "$kept" = "$expected" ]; then
+  echo "PASS: SARIF filter kept correct results"
+else
+  echo "FAIL: expected $expected"
+  echo "       got      $kept"
+  exit 1
+fi
+
+# Verify null/missing .results don't blow up
+null_run_count=$(echo "$actual" | jq '[.runs[] | select(.results == [])] | length')
+if [ "$null_run_count" -eq 2 ]; then
+  echo "PASS: null/missing .results handled"
+else
+  echo "FAIL: expected 2 empty-result runs, got $null_run_count"
+  exit 1
+fi
diff --git a/.github/codeql/testdata/sarif-filter-fixture.json b/.github/codeql/testdata/sarif-filter-fixture.json
@@ -0,0 +1,60 @@
+{
+  "version": "2.1.0",
+  "runs": [
+    {
+      "results": [
+        {
+          "ruleId": "keep-real-go",
+          "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/pkg/client/http.go"}}}]
+        },
+        {
+          "ruleId": "drop-relative-go-generated",
+          "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go/pkg/generated/api.go"}}}]
+        },
+        {
+          "ruleId": "drop-absolute-go-generated",
+          "locations": [{"physicalLocation": {"artifactLocation": {"uri": "/Users/runner/work/basecamp-sdk/basecamp-sdk/go/pkg/generated/api.go"}}}]
+        },
+        {
+          "ruleId": "drop-swift-generated",
+          "locations": [{"physicalLocation": {"artifactLocation": {"uri": "swift/Sources/Basecamp/Generated/Models.swift"}}}]
+        },
+        {
+          "ruleId": "keep-swift-generator",
+          "locations": [{"physicalLocation": {"artifactLocation": {"uri": "swift/Sources/BasecampGenerator/main.swift"}}}]
+        },
+        {
+          "ruleId": "drop-kotlin-generated",
+          "locations": [{"physicalLocation": {"artifactLocation": {"uri": "/home/runner/work/repo/kotlin/sdk/src/commonMain/kotlin/com/basecamp/sdk/generated/Api.kt"}}}]
+        },
+        {
+          "ruleId": "keep-kotlin-generator",
+          "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin/generator/src/main/kotlin/Main.kt"}}}]
+        },
+        {
+          "ruleId": "drop-ts-dist",
+          "locations": [{"physicalLocation": {"artifactLocation": {"uri": "typescript/dist/index.js"}}}]
+        },
+        {
+          "ruleId": "drop-ts-generated",
+          "locations": [{"physicalLocation": {"artifactLocation": {"uri": "typescript/src/generated/schema.ts"}}}]
+        },
+        {
+          "ruleId": "drop-ruby-generated",
+          "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruby/lib/basecamp/generated/types.rb"}}}]
+        },
+        {
+          "ruleId": "keep-no-locations",
+          "locations": []
+        },
+        {
+          "ruleId": "keep-null-locations"
+        }
+      ]
+    },
+    {},
+    {
+      "results": null
+    }
+  ]
+}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,223 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  schedule:
+    - cron: '0 7 * * 1'     # Monday 7am UTC (security.yml at 6am)
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: read
+  security-events: write
+
+jobs:
+  changes:
+    name: Detect changes
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+      swift: ${{ steps.set-matrix.outputs.swift }}
+    steps:
+      - uses: dorny/paths-filter@v3
+        if: github.event_name == 'pull_request'
+        id: filter
+        with:
+          filters: |
+            go:
+              - 'go/**'
+            typescript:
+              - 'typescript/**'
+            ruby:
+              - 'ruby/**'
+            kotlin:
+              - 'kotlin/**'
+            swift:
+              - 'swift/**'
+            config:
+              - '.github/codeql/**'
+              - '.github/workflows/codeql.yml'
+
+      - name: Build language matrix
+        id: set-matrix
+        env:
+          EVENT: ${{ github.event_name }}
+          GO: ${{ steps.filter.outputs.go }}
+          TS: ${{ steps.filter.outputs.typescript }}
+          RUBY: ${{ steps.filter.outputs.ruby }}
+          KOTLIN: ${{ steps.filter.outputs.kotlin }}
+          SWIFT: ${{ steps.filter.outputs.swift }}
+          CONFIG: ${{ steps.filter.outputs.config }}
+        run: |
+          matrix='[]'
+          add() { matrix=$(echo "$matrix" | jq -c --arg l "$1" --arg m "$2" '. + [{"language": $l, "build-mode": $m}]'); }
+
+          if [ "$EVENT" != "pull_request" ] || [ "$CONFIG" = "true" ]; then
+            add go manual
+            add javascript none
+            add ruby none
+            add java-kotlin manual
+            swift=true
+          else
+            if [ "$GO" = "true" ]; then add go manual; fi
+            if [ "$TS" = "true" ]; then add javascript none; fi
+            if [ "$RUBY" = "true" ]; then add ruby none; fi
+            if [ "$KOTLIN" = "true" ]; then add java-kotlin manual; fi
+            swift=$SWIFT
+          fi
+
+          echo "matrix=$matrix" >> "$GITHUB_OUTPUT"
+          echo "swift=$swift" >> "$GITHUB_OUTPUT"
+
+  analyze:
+    name: CodeQL (${{ matrix.language }})
+    needs: changes
+    if: ${{ needs.changes.outputs.matrix != '[]' }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include: ${{ fromJSON(needs.changes.outputs.matrix) }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      # --- Language setup (conditional) ---
+
+      - name: Set up Go
+        if: matrix.language == 'go'
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: 'go/go.mod'
+
+      - name: Set up Java
+        if: matrix.language == 'java-kotlin'
+        uses: actions/setup-java@v5
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+
+      - name: Setup Gradle
+        if: matrix.language == 'java-kotlin'
+        uses: gradle/actions/setup-gradle@v5
+
+      # --- CodeQL init ---
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          config-file: ./.github/codeql/codeql-config.yml
+
+      # --- Build steps (manual mode only) ---
+
+      - name: Build (Go)
+        if: matrix.language == 'go'
+        working-directory: go
+        env:
+          CODEQL_EXTRACTOR_GO_BUILD_TRACING: 'on'
+        run: go build ./...
+
+      - name: Build (Kotlin)
+        if: matrix.language == 'java-kotlin'
+        working-directory: kotlin
+        run: ./gradlew --no-build-cache clean :basecamp-sdk:build :generator:build
+
+      # --- Analysis (fails build on real errors) ---
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: codeql-${{ matrix.language }}
+          upload: never
+          output: sarif-results
+
+      # --- Filter generated-code alerts ---
+      # paths-ignore in codeql-config.yml only governs source extraction
+      # (effective for JS/Ruby). For compiled languages the extractor traces
+      # the build, so generated code enters the database. Strip those results
+      # from SARIF before upload.
+
+      - name: Filter generated-code alerts from SARIF
+        run: |
+          for sarif in sarif-results/*.sarif; do
+            [ -f "$sarif" ] || continue
+            before=$(jq '[.runs[].results // [] | length] | add // 0' "$sarif")
+            jq '
+              .runs |= map(.results |= (. // [] | map(
+                select(
+                  (.locations // [])[0].physicalLocation.artifactLocation.uri // "" |
+                  test("(^|/)(go/pkg/generated/|typescript/(src/generated|dist)/|ruby/lib/basecamp/generated/|swift/Sources/Basecamp/Generated/|kotlin/sdk/src/commonMain/kotlin/com/basecamp/sdk/generated/)") | not
+                )
+              )))
+            ' "$sarif" > "${sarif}.tmp" && mv "${sarif}.tmp" "$sarif"
+            after=$(jq '[.runs[].results | length] | add // 0' "$sarif")
+            filtered=$((before - after))
+            echo "$(basename "$sarif"): $before findings, filtered $filtered generated-code alerts, $after remaining"
+          done
+
+      # --- Upload (tolerates GHAS unavailability) ---
+
+      - name: Upload SARIF to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v4
+        continue-on-error: true  # Requires GitHub Advanced Security
+        with:
+          sarif_file: sarif-results
+          category: codeql-${{ matrix.language }}
+
+  analyze-swift:
+    name: CodeQL (swift)
+    needs: changes
+    if: needs.changes.outputs.swift == 'true'
+    runs-on: macos-15
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: swift
+          build-mode: manual
+          config-file: ./.github/codeql/codeql-config.yml
+
+      - name: Build (Swift)
+        working-directory: swift
+        run: swift build
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: codeql-swift
+          upload: never
+          output: sarif-results
+
+      - name: Filter generated-code alerts from SARIF
+        run: |
+          for sarif in sarif-results/*.sarif; do
+            [ -f "$sarif" ] || continue
+            before=$(jq '[.runs[].results // [] | length] | add // 0' "$sarif")
+            jq '
+              .runs |= map(.results |= (. // [] | map(
+                select(
+                  (.locations // [])[0].physicalLocation.artifactLocation.uri // "" |
+                  test("(^|/)(go/pkg/generated/|typescript/(src/generated|dist)/|ruby/lib/basecamp/generated/|swift/Sources/Basecamp/Generated/|kotlin/sdk/src/commonMain/kotlin/com/basecamp/sdk/generated/)") | not
+                )
+              )))
+            ' "$sarif" > "${sarif}.tmp" && mv "${sarif}.tmp" "$sarif"
+            after=$(jq '[.runs[].results | length] | add // 0' "$sarif")
+            filtered=$((before - after))
+            echo "$(basename "$sarif"): $before findings, filtered $filtered generated-code alerts, $after remaining"
+          done
+
+      - name: Upload SARIF to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v4
+        continue-on-error: true  # Requires GitHub Advanced Security
+        with:
+          sarif_file: sarif-results
+          category: codeql-swift
