feat: add CodeQL security scanning workflow#9
Closed
dims wants to merge 4 commits into
Closed
Conversation
Add GitHub CodeQL analysis for automated security vulnerability detection. CodeQL is GitHub's semantic code analysis engine that catches issues like: - SQL injection - Command injection - Path traversal - Hardcoded credentials - Insecure cryptographic practices Schedule: - On push to main - On PRs to main - Weekly (Monday 5am UTC) to catch newly discovered vulnerability patterns This aligns with the pattern used by nvidia-container-toolkit, k8s-device-plugin, and gpu-operator. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Signed-off-by: Davanum Srinivas <dsrinivas@nvidia.com>
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions workflow to run CodeQL security analysis on the Go codebase on pushes/PRs to main and on a weekly schedule.
Changes:
- Introduces a new
codeql.yamlworkflow triggering onpush,pull_request, and weeklycron. - Configures CodeQL for Go with a manual build step (
make build). - Adds workflow-level concurrency and SARIF upload permissions for Security tab reporting.
Contributor
Coverage Report ✅
Coverage Badge |
The workflow failed to checkout the repository because it lacked the contents:read permission needed to access the private repo. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Signed-off-by: Davanum Srinivas <dsrinivas@nvidia.com>
- Add actions:read permission for workflow metadata access - Pin all actions to SHA with version comments for supply chain security - Update to codeql-action v4.32.0 (matches vuln-scan.yaml) - Fix indentation to match project style (6-space for steps) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Signed-off-by: Davanum Srinivas <dsrinivas@nvidia.com>
make build requires goreleaser which isn't installed in the workflow. Use go build ./... which is sufficient for CodeQL code analysis. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Signed-off-by: Davanum Srinivas <dsrinivas@nvidia.com>
Collaborator
Author
Collaborator
Author
|
8 tasks
Contributor
|
This pull request has been automatically locked since it has been closed for 90 days with no further activity. Please open a new pull request for related changes. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add GitHub CodeQL analysis for automated security vulnerability detection. CodeQL is GitHub's semantic code analysis engine that catches issues like:
Schedule
Alignment
This aligns with the pattern used by other NVIDIA Go repositories:
Test plan
Risk Assessment
Low - Adds read-only security scanning; does not modify build or release processes.
🤖 Generated with Claude Code