gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 18:21:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
0157510d48f4a335e8d00c4e8280389c1de0b6ff
certctl/.github/workflows/codeql.yml
T
shankar0123 77b0452a2f Add CodeQL workflow — public SAST baseline in Security tab 
Triggered by Reddit feedback (sysadmin user ran Aikido against the
public repo, reported critical command/file-inclusion findings, won't
deploy without seeing scanner-public credibility). Aikido's free tier
gates on OSI-approved licenses, which excludes BSL 1.1; CodeQL is
GitHub-native and free for public repos regardless of license.

Why CodeQL on top of the existing security-deep-scan.yml gosec /
osv-scanner / trivy / ZAP / semgrep / schemathesis / nuclei / testssl:
gosec is single-file pattern matching; CodeQL does interprocedural
taint tracking that catches the same vulnerability classes when input
is laundered through several function calls or struct fields. SARIF
results land in the public Security tab where any operator/security
team auditing certctl can see scan history and triage state without
asking.

Workflow shape
=================
  - Triggers: push to master, PR to master, weekly Sun 06:00 UTC
  - Matrix: go + javascript-typescript
  - Query suite: security-and-quality (security + maintainability,
    comparable to Aikido / SonarCloud scope)
  - Go version: 1.25.9 (matches ci.yml + release.yml + security-
    deep-scan.yml)
  - SARIF auto-uploads via codeql-action/analyze@v3 (implicit;
    populates Security → Code scanning tab)
  - permissions: contents:read + security-events:write + actions:read
  - Fail-fast: false (Go and JS analysis run independently)
  - Timeout: 30min

Suppressions for known-intentional findings (e.g., SSH connector's
InsecureIgnoreHostKey, ACME script-callout shell-out) get inline
codeql[<rule-id>] comments OR config-pack tweaks in a follow-up
commit, with the threat-model justification cited so external
readers see why the finding is intentional.

Verification
=================
  - python3 yaml.safe_load(.github/workflows/codeql.yml): OK
  - First run will surface in the Security tab on next push to master

Bundle: security/codeql-baseline
2026-04-28 15:10:40 +00:00

82 lines
3.1 KiB
YAML
Raw Blame History

name: CodeQL
# Public-facing SAST baseline that complements the existing security-deep-scan
# workflow (gosec, osv-scanner, trivy, ZAP, semgrep, schemathesis, nuclei,
# testssl) with cross-file Go and JavaScript dataflow analysis. Results land
# in the repository's Security → Code scanning tab as a public signal — any
# operator/security team auditing certctl can see the scan history and
# triage state without asking.
#
# Why CodeQL in addition to gosec:
# - gosec is single-file pattern matching (catches obvious issues like
# `os/exec.Command(userInput)`); CodeQL does interprocedural taint
# tracking (catches the same issue when the userInput is laundered
# through several function calls or struct fields).
# - GitHub-native; no third-party SaaS license gate (works for BSL 1.1
# and other source-available licenses, unlike Aikido / Snyk / SonarCloud
# free tiers which require OSI-approved licenses).
# - SARIF results auto-deduplicate and persist on PRs, so reviewers see
# "this PR introduces N new findings" rather than re-running ad hoc.
#
# Findings that are intentional (e.g., the SSH connector's
# InsecureIgnoreHostKey, ACME DNS solver's intentional shell-out to operator-
# supplied scripts) get suppressed via inline `// codeql[<rule-id>]`
# comments OR via a `.github/codeql/codeql-config.yml` query-pack tweak —
# document the rationale in the same commit that adds the suppression so
# the public scan-tab readers see the threat-model justification.
on:
push:
branches: [master]
pull_request:
branches: [master]
schedule:
# Weekly Sunday 06:00 UTC, in addition to push/PR coverage. Catches
# rule-pack updates from CodeQL upstream (their Go/JS rulesets ship
# new queries on a roughly-monthly cadence).
- cron: '0 6 * * 0'
permissions:
contents: read
security-events: write # SARIF upload to GitHub code scanning
actions: read
jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ubuntu-latest
timeout-minutes: 30
strategy:
fail-fast: false
matrix:
language: [go, javascript-typescript]
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Go
if: matrix.language == 'go'
uses: actions/setup-go@v5
with:
# Match ci.yml + release.yml + security-deep-scan.yml.
go-version: '1.25.9'
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
# Use the security-and-quality query suite — security finds plus
# maintainability/correctness issues that the smaller security-extended
# suite skips. Comparable scope to what Aikido / SonarCloud run.
queries: security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ matrix.language }}"
# SARIF upload is implicit (and is what populates the Security tab).
Reference in New Issue View Git Blame Copy Permalink