Skip to content

chore: Add CodeQL scanning#50

Merged
scottgerring merged 2 commits into
mainfrom
chore-add-CodeQL-scanning
Jul 18, 2025
Merged

chore: Add CodeQL scanning#50
scottgerring merged 2 commits into
mainfrom
chore-add-CodeQL-scanning

Conversation

@scottgerring

@scottgerring scottgerring commented Jul 10, 2025

Copy link
Copy Markdown
Member

Turns on CodeQL scanning to give us sweet in-depth-er security alerts for our services and workflows.

@datadog-datadog-prod-us1

datadog-datadog-prod-us1 Bot commented Jul 10, 2025

Copy link
Copy Markdown

✅ Code Quality    ✅ Code Vulnerabilities    ✅ Libraries

ℹ️ Info

🎉 All green!

🛠️ No new code quality issues
🛡️ No new code vulnerabilities
📚 No new vulnerable libraries detected

This comment will be updated automatically if new data arrives.

🔗 Commit SHA: 426a545 | Was this helpful? Give us feedback!

@github-advanced-security

Copy link
Copy Markdown

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@@ -0,0 +1,106 @@
# For most projects, this workflow file will not need changing; you simply need

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 High: Code Vulnerability

No explicit permissions set for at the workflow level (...read more)

Default permissions for the GITHUB_TOKEN are expected to be restricted (contents:read, metadata:read, and packages:read).

Your repository may require a different setup, so consider defining permissions for each job following the least privilege principle to restrict the impact of a possible compromise.

You can find the list of all possible permissions in Workflow syntax for GitHub Actions - GitHub Docs. They can be defined at the job or the workflow level.

View in Datadog  Leave us feedback  Documentation

Comment thread .github/workflows/codeql.yml Outdated

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 High: Code Vulnerability

Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)

Pin GitHub Actions by commit hash to ensure supply chain security.

Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

View in Datadog  Leave us feedback  Documentation

Comment thread .github/workflows/codeql.yml Outdated
exit 1

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 High: Code Vulnerability

Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)

Pin GitHub Actions by commit hash to ensure supply chain security.

Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

View in Datadog  Leave us feedback  Documentation

@scottgerring scottgerring requested a review from Copilot July 10, 2025 14:14

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces CodeQL static analysis scanning to enhance the repository's security and code quality monitoring capabilities. The workflow is configured to run automatically on pushes and pull requests to the main branch, as well as on a weekly schedule.

Key changes:

  • Adds a comprehensive CodeQL workflow with support for multiple programming languages
  • Configures automated scanning on pushes, pull requests, and weekly schedules
  • Sets up proper permissions and runner configurations for CodeQL analysis

Comment on lines +46 to +50
- language: actions
build-mode: none
- language: csharp
build-mode: none
- language: java-kotlin

Copilot AI Jul 10, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] The workflow includes analysis for 'actions' language but may not be necessary for all repositories. Consider removing unused language configurations to reduce CI/CD execution time and complexity.

Suggested change
- language: actions
build-mode: none
- language: csharp
build-mode: none
- language: java-kotlin
- language: csharp
build-mode: none
- language: java-kotlin
build-mode: none
- language: java-kotlin

Copilot uses AI. Check for mistakes.
Comment on lines +96 to +101
echo 'If you are using a "manual" build mode for one or more of the' \
'languages you are analyzing, replace this with the commands to build' \
'your code, for example:'
echo ' make bootstrap'
echo ' make release'
exit 1

Copilot AI Jul 10, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The manual build mode section always exits with code 1, which will cause the workflow to fail if any language is configured with 'manual' build mode. Consider providing actual build commands or removing languages that require manual building.

Suggested change
echo 'If you are using a "manual" build mode for one or more of the' \
'languages you are analyzing, replace this with the commands to build' \
'your code, for example:'
echo ' make bootstrap'
echo ' make release'
exit 1
echo 'Building the code in manual build mode...'
# Replace the following commands with your actual build steps.
make bootstrap
make release
echo 'Build completed successfully.'

Copilot uses AI. Check for mistakes.
@claude

claude Bot commented Jul 11, 2025

Copy link
Copy Markdown

Claude finished @scottgerring's task —— View job


CodeQL Workflow Review

I've analyzed the CodeQL workflow configuration and repository structure. Here's my comprehensive review:

Todo List:

  • Read and analyze the CodeQL workflow file
  • Review existing security findings from Datadog
  • Analyze code quality and best practices
  • Check for potential bugs or issues
  • Evaluate performance considerations
  • Assess security concerns
  • Provide comprehensive review feedback

🔴 Critical Security Issues

1. Workflow-Level Permissions Missing

  • Issue: No explicit permissions set at workflow level (.github/workflows/codeql.yml:1)
  • Impact: Could allow broader access than necessary, violating least privilege principle
  • Fix: Add workflow-level permissions:
permissions:
  contents: read
  security-events: write
  actions: read
  packages: read

2. Actions Properly Secured

  • Good: Actions are pinned to commit SHAs (addresses previous security concern)
  • Example: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

🟡 Code Quality & Performance Issues

3. Unnecessary Language Analysis

  • Issue: Workflow analyzes languages not present in repository
  • Current: actions, csharp, java-kotlin, javascript-typescript, python
  • Actual Usage: Only Java, C#, TypeScript, JavaScript (minimal), Python (minimal)
  • Performance Impact: Analyzing unused languages wastes CI resources
  • Fix: Remove unused languages or make conditional:
# Remove 'actions' - no GitHub Actions to analyze
# Keep others but consider if minimal JS/Python files warrant analysis

4. Build Mode Issue

  • Issue: Manual build mode always exits with code 1 (.github/workflows/codeql.yml:104)
  • Impact: Any language configured with build-mode: manual will fail
  • Fix: Either provide actual build commands or remove the exit statement:
- if: matrix.build-mode == 'manual'
  shell: bash
  run: |
    echo 'Building the code...'
    # Add actual build commands here
    # For now, just ensure it doesn't fail

🟢 Best Practices

5. Good Configuration Elements

  • Schedule: Weekly runs on Fridays (good for regular security scanning)
  • Triggers: Properly configured for pushes and PRs to main branch
  • Runner Selection: Smart runner selection (macOS for Swift, Ubuntu otherwise)
  • Fail-fast: Disabled to allow all languages to complete analysis

📊 Repository Analysis

Based on actual file analysis:

  • Java: 43 files (main sticker-award service) - ✅ Keep
  • C#: 80+ files (user-management service) - ✅ Keep
  • TypeScript: 6 files (AWS infrastructure) - ✅ Keep
  • JavaScript: 1 file (jest config) - ⚠️ Consider removing
  • Python: 2 files (license tools) - ⚠️ Consider removing
  • Actions: 0 workflow files to analyze - ❌ Remove

📋 Recommendations

  1. Fix workflow permissions (High Priority)
  2. Remove unused 'actions' language (Medium Priority)
  3. Fix manual build mode (Medium Priority)
  4. Consider removing minimal language analysis (Low Priority)

🧪 Test Coverage

The workflow doesn't include test coverage analysis - this is expected for CodeQL which focuses on security analysis rather than test coverage.

📈 Performance Considerations

  • Current setup will run analysis for 5 languages on every push/PR
  • Consider using paths filters to trigger analysis only when relevant code changes
  • Weekly scheduled runs are appropriate for security scanning

Overall Assessment: Good foundation with some security and efficiency improvements needed. The core CodeQL setup is solid but needs refinement for this specific repository.

@scottgerring scottgerring force-pushed the chore-add-CodeQL-scanning branch from a329c02 to 08a4125 Compare July 11, 2025 08:31
@claude

claude Bot commented Jul 11, 2025

Copy link
Copy Markdown

Claude finished @scottgerring's task —— View job


CodeQL Workflow Review

Todo List:

  • Read and analyze the CodeQL workflow file
  • Analyze repository structure to understand actual language usage
  • Review security concerns and vulnerabilities
  • Evaluate performance and efficiency considerations
  • Check for code quality and best practices
  • Update GitHub comment with comprehensive review feedback

🔍 Comprehensive Analysis

I've analyzed the CodeQL workflow implementation and the repository structure. Here's my detailed review:

🟢 Excellent Security Improvements

1. Security Issues Addressed

  • Permissions Fixed: Workflow now has proper permissions at both workflow level (.github/workflows/codeql.yml:14-18) and job level (.github/workflows/codeql.yml:37-46)
  • Actions Properly Secured: All actions are pinned to commit SHAs (.github/workflows/codeql.yml:72, 82, 110), addressing supply chain security concerns
  • Follows Security Best Practices: Configuration follows GitHub's security recommendations

🟡 Performance & Efficiency Issues

2. Language Configuration Analysis
Based on actual repository analysis:

  • Java: 43 files ✅ Appropriate (sticker-award service)
  • C#: 80+ files ✅ Appropriate (user-management service)
  • TypeScript: 6 files ✅ Appropriate (AWS CDK infrastructure)
  • JavaScript: 1 file ⚠️ Minimal (jest.config.js only)
  • Python: 2 files ⚠️ Minimal (license conversion tools)
  • Actions: 6 workflow files ⚠️ Questionable value (analyzes workflow logic, not YAML syntax)

Performance Recommendations:

  • Consider removing actions language analysis (.github/workflows/codeql.yml:52-53) - limited value for this repository
  • JavaScript/Python analysis may be overkill for minimal files, but low impact
  • Current setup analyzes 5 languages on every push/PR - consider adding paths filters for efficiency

🔴 Critical Bug

3. Manual Build Mode Failure (.github/workflows/codeql.yml:99-107)

  • Issue: Manual build mode always exits with code 1, causing workflow failure
  • Impact: Any language configured with build-mode: manual will fail the workflow
  • Current Risk: Low (all languages use build-mode: none)
  • Fix Needed: Remove exit statement or provide actual build commands

🟢 Best Practices Assessment

4. Configuration Excellence

  • Scheduling: Weekly runs on Fridays appropriate for security scanning
  • Triggers: Proper configuration for pushes and PRs to main branch
  • Runner Selection: Smart runner selection logic (macOS for Swift, Ubuntu otherwise)
  • Fail-fast: Disabled appropriately to allow all languages to complete analysis
  • Matrix Strategy: Well-structured for multi-language analysis

5. Code Quality

  • Documentation: Good inline comments explaining configuration choices
  • Naming: Clear, descriptive workflow and job names
  • Structure: Logical flow and organization

📊 Test Coverage Analysis

6. Security Testing Coverage

  • Static Analysis: Adds comprehensive static security analysis
  • Multi-language: Covers all major languages in the repository
  • Scheduled Scanning: Provides regular security assessment
  • Note: CodeQL focuses on security/quality, not unit test coverage (which is appropriate)

🔧 Recommendations

Priority Order:

  1. Medium Priority: Remove actions language analysis (.github/workflows/codeql.yml:52-53) - limited value
  2. Low Priority: Fix manual build mode exit statement (.github/workflows/codeql.yml:107)
  3. Optional: Consider adding paths filters to trigger analysis only when relevant code changes

Example Fix for Manual Build Mode:

- if: matrix.build-mode == 'manual'
  shell: bash
  run: |
    echo 'Building the code...'
    # Add actual build commands here or remove this step
    # For now, just ensure it doesn't fail

📈 Overall Assessment

Score: 8.5/10 - Excellent security implementation with minor optimization opportunities

Strengths:

  • Addresses all critical security concerns from Datadog analysis
  • Proper permissions and action pinning
  • Comprehensive multi-language coverage
  • Well-structured configuration following GitHub best practices

Areas for Improvement:

  • Remove unnecessary language analysis
  • Fix manual build mode implementation
  • Consider performance optimizations with path filtering

Recommendation: Approve with minor suggested improvements. The core security and functionality are solid, with only minor optimization opportunities remaining.


- Add workflow-level permissions to fix unspecified permissions issue
- Pin GitHub Actions to specific SHA versions for security:
  - actions/checkout@v4.2.2 (SHA: 11bd71901bbe5b1630ceea73d27597364c9af683)
  - github/codeql-action@v3.29.2 (SHA: 181d5eefc20863364f96762470ba6f862bdef56b)

Fixes the 3 high-severity code vulnerabilities identified by static analysis.
@scottgerring scottgerring force-pushed the chore-add-CodeQL-scanning branch from 08a4125 to 426a545 Compare July 11, 2025 08:42
@claude

claude Bot commented Jul 11, 2025

Copy link
Copy Markdown

Claude finished @scottgerring's task —— View job


CodeQL Workflow Review

Todo List:

  • Read and analyze the CodeQL workflow file
  • Analyze repository structure to understand actual language usage
  • Review security concerns and vulnerabilities
  • Evaluate performance and efficiency considerations
  • Check for code quality and best practices
  • Review test coverage implications
  • Provide comprehensive review feedback

🔍 Comprehensive Analysis

I've thoroughly analyzed the CodeQL workflow implementation and repository structure. Here's my detailed review:

🟢 Excellent Security Improvements

1. Security Issues Addressed

  • Permissions Fixed: Workflow now has proper permissions at both workflow level (.github/workflows/codeql.yml:14-18) and job level (.github/workflows/codeql.yml:37-46)
  • Actions Properly Secured: All actions are pinned to commit SHAs (.github/workflows/codeql.yml:70, 80, 108), addressing supply chain security concerns
  • Follows Security Best Practices: Configuration follows GitHub's security recommendations

🟡 Performance & Efficiency Issues

2. Language Configuration Analysis
Based on actual repository analysis:

  • Java: 43 files ✅ Appropriate (sticker-award service)
  • C#: 80+ files ✅ Appropriate (user-management service)
  • TypeScript: 6 files ✅ Appropriate (AWS CDK infrastructure)
  • JavaScript: 1 file ⚠️ Minimal (jest.config.js only)
  • Python: 2 files ⚠️ Minimal (license conversion tools)
  • Actions: 6 workflow files ⚠️ Questionable value (analyzes workflow logic, not YAML syntax)

Performance Recommendations:

  • Consider removing actions language analysis (.github/workflows/codeql.yml:52-53) - limited value for this repository
  • JavaScript/Python analysis may be overkill for minimal files, but low impact
  • Current setup analyzes 5 languages on every push/PR - consider adding paths filters for efficiency

🔴 Critical Bug

3. Manual Build Mode Failure (.github/workflows/codeql.yml:99-105)

  • Issue: Manual build mode always exits with code 1, causing workflow failure
  • Impact: Any language configured with build-mode: manual will fail the workflow
  • Current Risk: Low (all languages use build-mode: none)
  • Fix Needed: Remove exit statement or provide actual build commands

🟢 Best Practices Assessment

4. Configuration Excellence

  • Scheduling: Weekly runs on Fridays appropriate for security scanning
  • Triggers: Proper configuration for pushes and PRs to main branch
  • Runner Selection: Smart runner selection logic (macOS for Swift, Ubuntu otherwise)
  • Fail-fast: Disabled appropriately to allow all languages to complete analysis
  • Matrix Strategy: Well-structured for multi-language analysis

5. Code Quality

  • Documentation: Good inline comments explaining configuration choices
  • Naming: Clear, descriptive workflow and job names
  • Structure: Logical flow and organization

📊 Test Coverage Analysis

6. Security Testing Coverage

  • Static Analysis: Adds comprehensive static security analysis
  • Multi-language: Covers all major languages in the repository
  • Scheduled Scanning: Provides regular security assessment
  • Note: CodeQL focuses on security/quality, not unit test coverage (which is appropriate)

🔧 Recommendations

Priority Order:

  1. Medium Priority: Remove actions language analysis (.github/workflows/codeql.yml:52-53) - limited value
  2. Low Priority: Fix manual build mode exit statement (.github/workflows/codeql.yml:105)
  3. Optional: Consider adding paths filters to trigger analysis only when relevant code changes

Example Fix for Manual Build Mode:

- if: matrix.build-mode == 'manual'
  shell: bash
  run: |
    echo 'Building the code...'
    # Add actual build commands here or remove this step
    # For now, just ensure it doesn't fail

📈 Overall Assessment

Score: 8.5/10 - Excellent security implementation with minor optimization opportunities

Strengths:

  • Addresses all critical security concerns from Datadog analysis
  • Proper permissions and action pinning
  • Comprehensive multi-language coverage
  • Well-structured configuration following GitHub best practices

Areas for Improvement:

  • Remove unnecessary language analysis
  • Fix manual build mode implementation
  • Consider performance optimizations with path filtering

Recommendation: Approve with minor suggested improvements. The core security and functionality are solid, with only minor optimization opportunities remaining.


@scottgerring scottgerring marked this pull request as ready for review July 11, 2025 08:45
@scottgerring scottgerring merged commit 88ab382 into main Jul 18, 2025
17 checks passed
@scottgerring scottgerring deleted the chore-add-CodeQL-scanning branch July 18, 2025 12:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants