Add CodeQL query to detect unclosed Repository and Storage instances#8
Merged
pjbgf merged 2 commits intoMay 7, 2026
Merged
Conversation
AriehSchneier
force-pushed
the
add-codeql-resource-leak-detection
branch
5 times, most recently
from
fcbb6b2 to
1efa082
Compare
Implements static analysis to detect resource leaks in go-git usage where Repository or Storage instances are created but never closed. This provides compile-time detection of file handle leaks as an alternative to runtime leak detection. The query detects: - Repository creation via PlainOpen, Init, Clone, and related functions - Storage creation via NewStorage and NewStorageWithOptions - Submodule and worktree operations that return repositories - Missing Close() calls or defer cleanup patterns Includes a GitHub Actions workflow that: - Runs on pushes, PRs, and weekly schedule - Can be manually triggered with custom go-git branch/ref - Uses latest actions/checkout@v6.0.2 and codeql-action@v4.35.3 Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Arieh Schneier <15041913+AriehSchneier@users.noreply.github.com>
AriehSchneier
force-pushed
the
add-codeql-resource-leak-detection
branch
from
1efa082 to
170d798
Compare
pjbgf
reviewed
May 7, 2026
pjbgf
reviewed
May 7, 2026
pjbgf
reviewed
May 7, 2026
Co-authored-by: Paulo Gomes <paulo.gomes.uk@gmail.com> Signed-off-by: Paulo Gomes <paulo.gomes.uk@gmail.com>
pjbgf
approved these changes
May 7, 2026
Member
pjbgf
left a comment
pjbgf
left a comment
There was a problem hiding this comment.
@AriehSchneier Thanks for working on this. 🙇
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements static analysis to detect resource leaks in go-git usage where Repository or Storage instances are created but never closed. This provides compile-time detection of file handle leaks as an alternative to runtime leak detection.
What's included
CodeQL Query (
codeql/queries/unclosed-resources.ql)Detects patterns where resources are created but not closed:
PlainOpen,Init,Clone, and related functionsNewStorageandNewStorageWithOptionsClose()calls ordefercleanup patternsThe query excludes false positives by ignoring:
CodeQL Configuration (
codeql/codeql-config.yml,codeql/qlpack.yml)GitHub Actions Workflow (
.github/workflows/codeql.yml)actions/checkout@v6.0.2andcodeql-action@v4.35.3Documentation (
codeql/README.md)Benefits
✅ Catches resource leaks at code review time, not test time
✅ No build tags or test infrastructure needed
✅ Works on all code, not just test code
✅ No runtime overhead
✅ Helps enforce best practices across the ecosystem
Test plan
🤖 Generated with Claude Code