Skip to content

feat: Add CodeQL security analysis workflow#5

Merged
shaunburdick merged 3 commits into
mainfrom
005-codeql-security-analysis
Mar 15, 2026
Merged

feat: Add CodeQL security analysis workflow#5
shaunburdick merged 3 commits into
mainfrom
005-codeql-security-analysis

Conversation

@shaunburdick

Copy link
Copy Markdown
Owner

Summary

Add comprehensive CodeQL static analysis to CI/CD pipeline for continuous security monitoring of the Rust codebase.

What's New

  • CodeQL Workflow: New .github/workflows/codeql.yml with security-extended query suite
  • Automated Scanning: Runs on every push/PR to main, plus weekly scheduled scans
  • Documentation: Added CodeQL badge to README.md and updated SECURITY.md
  • Optimized for Rust: Uses build-mode: none (rust-analyzer) for fast analysis

Technical Details

  • Triggers: push/PR to main, weekly schedule (Sundays 00:00 UTC), manual dispatch
  • Query Suite: security-extended for thorough vulnerability detection
  • Timeout: 30 minutes to prevent workflow hangs
  • Results: Uploaded to GitHub Security tab for review

Testing

  • ✅ All tests passing (181 tests)
  • ✅ Zero clippy warnings
  • ✅ Build successful
  • ✅ No changes to source code - workflow and documentation only

Verification Steps

  1. Check .github/workflows/codeql.yml for proper configuration
  2. Verify README.md badge addition
  3. Review SECURITY.md updates
  4. Workflow will run automatically on this PR

Related

  • Addresses security monitoring recommendations
  • Complements existing CI workflow
  • Part of code quality improvement initiative

Add comprehensive CodeQL static analysis to CI/CD pipeline for
continuous security monitoring of Rust codebase.

Features:
- Runs on every push and pull request
- Weekly scheduled scans (Sundays at 00:00 UTC)
- Security-extended query suite for thorough vulnerability detection
- Uses build-mode: none for fast Rust analysis (rust-analyzer)
- Results uploaded to GitHub Security tab

Documentation:
- Added CodeQL badge to README.md
- Updated SECURITY.md with CodeQL details
- 30-minute timeout to prevent workflow hangs
Remove unnecessary matrix strategy since we only have a single language (Rust).
Remove master branch references as it will never exist in this project.

Changes:
- Removed matrix strategy (lines 28-32)
- Changed language from matrix variable to static 'rust' value
- Removed 'master' from branch triggers (only 'main' remains)
- Simplified category in analyze step to '/language:rust'
Upgrade actions to latest versions to avoid deprecation warnings:
- CodeQL Action: v3 → v4 (v3 will be deprecated in December 2026)
- Checkout Action: v4 → v6

CodeQL Action v4 runs on Node.js 24 runtime and ensures continued
support for new CodeQL analysis capabilities beyond December 2026.

References:
- https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/
@shaunburdick shaunburdick merged commit a0236e4 into main Mar 15, 2026
6 checks passed
@shaunburdick shaunburdick deleted the 005-codeql-security-analysis branch March 15, 2026 14:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant