aws-xray-sdk-python/.github/workflows/codeql-analysis.yml at fca3d63612a81f3e6bb7185091ec0cf9fadddd86 · aws/aws-xray-sdk-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
name: "CodeQL Security Analysis"

on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]
  schedule:
    # Run CodeQL analysis weekly on Mondays at 2 AM UTC
    - cron: '0 2 * * 1'

permissions:
  actions: read
  contents: read
  security-events: write

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    timeout-minutes: 360

    strategy:
      fail-fast: false
      matrix:
        language: [ 'python' ]

    steps:
    - name: Checkout repository
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

    - name: Initialize CodeQL
      uses: github/codeql-action/init@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
      with:
        languages: ${{ matrix.language }}
        # Override default queries to include security-extended for more comprehensive analysis
        queries: security-extended,security-and-quality

    - name: Setup Python 3.11
      uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
      with:
        python-version: '3.11'

    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        pip install tox setuptools wheel

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
      with:
        category: "/language:${{matrix.language}}"
        upload: false  # Don't upload to avoid conflict with default setup

  dependency-scan:
    name: Python Dependency Scan
    runs-on: ubuntu-latest
    timeout-minutes: 30

    steps:
    - name: Checkout repository
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

    - name: Setup Python 3.11
      uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
      with:
        python-version: '3.11'

    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        pip install tox setuptools wheel

    - name: Install and run Safety
      continue-on-error: true
      run: |
        # Install Safety for Python dependency vulnerability scanning
        pip install safety==3.2.8

        # Generate requirements from setup.py
        pip install -e .
        pip freeze > requirements-frozen.txt

        # Run Safety scan and generate JSON report
        safety check --json --output safety-results.json || echo "Safety scan completed"

    - name: Install and run pip-audit
      continue-on-error: true
      run: |
        # Install pip-audit for comprehensive Python package vulnerability scanning
        pip install pip-audit==2.7.3

        # Run pip-audit and generate SARIF
        pip-audit --format=sarif --output=pip-audit-results.sarif . || echo "pip-audit scan completed"

    - name: Install and run Bandit
      continue-on-error: true
      run: |
        # Install Bandit for Python security linting
        pip install bandit[toml]==1.7.10

        # Run Bandit security analysis and generate SARIF
        bandit -r aws_xray_sdk/ -f sarif -o bandit-results.sarif || echo "Bandit scan completed"

    - name: Upload pip-audit results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
      if: always() && hashFiles('pip-audit-results.sarif') != ''
      with:
        sarif_file: pip-audit-results.sarif
        category: 'pip-audit'

    - name: Upload Bandit results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
      if: always() && hashFiles('bandit-results.sarif') != ''
      with:
        sarif_file: bandit-results.sarif
        category: 'bandit-security'

    - name: Upload dependency reports
      uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
      if: always()
      with:
        name: dependency-reports
        path: |
          safety-results.json
          pip-audit-results.sarif
          bandit-results.sarif
          requirements-frozen.txt

  security-scan:
    name: Python Security Scan
    runs-on: ubuntu-latest
    timeout-minutes: 30

    steps:
    - name: Checkout repository
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

    - name: Setup Python 3.11
      uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
      with:
        python-version: '3.11'

    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        pip install tox setuptools wheel
        pip install -e .

    - name: Run Semgrep security analysis
      continue-on-error: true
      run: |
        # Install Semgrep
        python -m pip install semgrep==1.88.0

        # Run Semgrep with Python security rules
        semgrep --config=auto --sarif --output=semgrep-results.sarif . || echo "Semgrep scan completed"

    - name: Run Pylint security checks
      continue-on-error: true
      run: |
        # Install Pylint with security plugins
        pip install pylint==3.3.1 pylint-django==2.6.1

        # Run Pylint with security-focused checks
        pylint --load-plugins=pylint.extensions.bad_builtin,pylint.extensions.check_elif,pylint.extensions.comparetozero,pylint.extensions.consider_ternary_expression,pylint.extensions.docparams,pylint.extensions.empty_comment,pylint.extensions.eq_without_hash,pylint.extensions.for_any_all,pylint.extensions.mccabe,pylint.extensions.no_self_use,pylint.extensions.overlapping_exceptions,pylint.extensions.private_import,pylint.extensions.redefined_loop_name,pylint.extensions.redefined_variable_type,pylint.extensions.set_membership,pylint.extensions.typing,pylint.extensions.while_used --output-format=json aws_xray_sdk/ > pylint-results.json || echo "Pylint scan completed"

    - name: Run mypy type checking
      continue-on-error: true
      run: |
        # Install mypy for static type checking
        pip install mypy==1.13.0

        # Run mypy type checking (security-relevant for type safety)
        mypy aws_xray_sdk/ --ignore-missing-imports --json-report mypy-report || echo "mypy scan completed"

    - name: Upload Semgrep results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
      if: always() && hashFiles('semgrep-results.sarif') != ''
      with:
        sarif_file: semgrep-results.sarif
        category: 'semgrep-security'

    - name: Upload security analysis reports
      uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
      if: always()
      with:
        name: security-analysis-reports
        path: |
          semgrep-results.sarif
          pylint-results.json
          mypy-report/