PR26.6: takeover preserves non-nftban authority (table classifier + lock-in tests) #1615
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ============================================================================= | |
| # NFTBan - CodeQL Analysis | |
| # ============================================================================= | |
| # SPDX-License-Identifier: MPL-2.0 | |
| # Purpose: Deep static analysis of Go code using GitHub CodeQL | |
| # | |
| # Runs on: | |
| # - Push to main branch | |
| # - Pull requests to main branch | |
| # - Weekly on Sunday at 3:00 AM UTC | |
| # | |
| # Outputs: | |
| # - SARIF report uploaded to GitHub Security tab | |
| # - Detailed code scanning alerts for security vulnerabilities | |
| # | |
| # Note: This complements gosec/staticcheck in secure-go.yml with deeper | |
| # semantic analysis including taint tracking and data flow analysis. | |
| # ============================================================================= | |
| name: CodeQL | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| - cron: '0 3 * * 0' # Weekly: Sunday 3:00 AM UTC | |
| permissions: | |
| security-events: write | |
| contents: read | |
| actions: read | |
| concurrency: | |
| group: codeql-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| analyze: | |
| name: CodeQL Analysis (Go) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - name: Set up Go | |
| uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.6.0 | |
| with: | |
| go-version: '1.25' | |
| - name: Cache Go modules | |
| uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.3.0 | |
| with: | |
| path: | | |
| ~/go/pkg/mod | |
| ~/.cache/go-build | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: ${{ runner.os }}-go- | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@f5c2471be782132e47a6e6f9c725e56730d6e9a3 # v3.32.3 | |
| with: | |
| languages: go | |
| # Use extended security queries for more thorough analysis | |
| queries: security-extended | |
| - name: Build Go code | |
| run: go build ./... | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@f5c2471be782132e47a6e6f9c725e56730d6e9a3 # v3.32.3 | |
| with: | |
| category: codeql-go | |
| - name: Generate summary | |
| if: always() | |
| run: | | |
| echo "## CodeQL Analysis Results" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "CodeQL has performed deep static analysis on the Go codebase:" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### Analysis Capabilities" >> $GITHUB_STEP_SUMMARY | |
| echo "- **Data flow analysis**: Tracks how data flows through the program" >> $GITHUB_STEP_SUMMARY | |
| echo "- **Taint tracking**: Identifies untrusted input reaching sensitive sinks" >> $GITHUB_STEP_SUMMARY | |
| echo "- **Security queries**: Detects common vulnerability patterns" >> $GITHUB_STEP_SUMMARY | |
| echo "- **Code quality**: Identifies potential bugs and anti-patterns" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### Vulnerability Categories" >> $GITHUB_STEP_SUMMARY | |
| echo "- SQL injection" >> $GITHUB_STEP_SUMMARY | |
| echo "- Command injection" >> $GITHUB_STEP_SUMMARY | |
| echo "- Path traversal" >> $GITHUB_STEP_SUMMARY | |
| echo "- Cross-site scripting (XSS)" >> $GITHUB_STEP_SUMMARY | |
| echo "- Insecure deserialization" >> $GITHUB_STEP_SUMMARY | |
| echo "- Hardcoded credentials" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "Check the **Security** tab for detailed findings." >> $GITHUB_STEP_SUMMARY |