Charon/.github/workflows/codeql.yml

name: CodeQL - Analyze

on:
  workflow_run:
    workflows: ["Docker Build, Publish & Test"]
    types: [completed]
  schedule:
    - cron: '0 3 * * 1'

concurrency:
  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.workflow_run.head_branch || github.head_ref || github.ref_name }}
  cancel-in-progress: true

env:
  GO_VERSION: '1.25.7'
  GOTOOLCHAIN: auto

permissions:
  contents: read
  security-events: write
  actions: read
  pull-requests: read

jobs:
  analyze:
    name: CodeQL analysis (${{ matrix.language }})
    runs-on: ubuntu-latest
    # Skip forked PRs where CHARON_TOKEN lacks security-events permissions
    if: >-
      (github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success')
    permissions:
      contents: read
      security-events: write
      actions: read
      pull-requests: read
    strategy:
      fail-fast: false
      matrix:
        language: [ 'go', 'javascript-typescript' ]
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          ref: ${{ github.event.workflow_run.head_sha || github.sha }}

      - name: Initialize CodeQL
        uses: github/codeql-action/init@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4
        with:
          languages: ${{ matrix.language }}
          # Use CodeQL config to exclude documented false positives
          # Go: Excludes go/request-forgery for url_testing.go (has 4-layer SSRF defense)
          # See: .github/codeql/codeql-config.yml for full justification
          config-file: ./.github/codeql/codeql-config.yml

      - name: Setup Go
        if: matrix.language == 'go'
        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: backend/go.sum

      - name: Autobuild
        uses: github/codeql-action/autobuild@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4
        with:
          category: "/language:${{ matrix.language }}"

      - name: Check CodeQL Results
        if: always()
        run: |
          echo "## 🔒 CodeQL Security Analysis Results" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "**Language:** ${{ matrix.language }}" >> $GITHUB_STEP_SUMMARY
          echo "**Query Suite:** security-and-quality" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY

          # Find SARIF file (CodeQL action creates it in various locations)
          SARIF_FILE=$(find ${{ runner.temp }} -name "*${{ matrix.language }}*.sarif" -type f 2>/dev/null | head -1)

          if [ -f "$SARIF_FILE" ]; then
            echo "Found SARIF file: $SARIF_FILE"
            RESULT_COUNT=$(jq '.runs[].results | length' "$SARIF_FILE" 2>/dev/null || echo 0)
            ERROR_COUNT=$(jq '[.runs[].results[] | select(.level == "error")] | length' "$SARIF_FILE" 2>/dev/null || echo 0)
            WARNING_COUNT=$(jq '[.runs[].results[] | select(.level == "warning")] | length' "$SARIF_FILE" 2>/dev/null || echo 0)
            NOTE_COUNT=$(jq '[.runs[].results[] | select(.level == "note")] | length' "$SARIF_FILE" 2>/dev/null || echo 0)

            echo "**Findings:**" >> $GITHUB_STEP_SUMMARY
            echo "- 🔴 Errors: $ERROR_COUNT" >> $GITHUB_STEP_SUMMARY
            echo "- 🟡 Warnings: $WARNING_COUNT" >> $GITHUB_STEP_SUMMARY
            echo "- 🔵 Notes: $NOTE_COUNT" >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY

            if [ "$ERROR_COUNT" -gt 0 ]; then
              echo "❌ **CRITICAL:** High-severity security issues found!" >> $GITHUB_STEP_SUMMARY
              echo "" >> $GITHUB_STEP_SUMMARY
              echo "### Top Issues:" >> $GITHUB_STEP_SUMMARY
              echo '```' >> $GITHUB_STEP_SUMMARY
              jq -r '.runs[].results[] | select(.level == "error") | "\(.ruleId): \(.message.text)"' "$SARIF_FILE" 2>/dev/null | head -5 >> $GITHUB_STEP_SUMMARY
              echo '```' >> $GITHUB_STEP_SUMMARY
            else
              echo "✅ No high-severity issues found" >> $GITHUB_STEP_SUMMARY
            fi
          else
            echo "⚠️ SARIF file not found - check analysis logs" >> $GITHUB_STEP_SUMMARY
          fi

          echo "" >> $GITHUB_STEP_SUMMARY
          echo "View full results in the [Security tab](https://github.com/${{ github.repository }}/security/code-scanning)" >> $GITHUB_STEP_SUMMARY

      - name: Fail on High-Severity Findings
        if: always()
        run: |
          SARIF_FILE=$(find ${{ runner.temp }} -name "*${{ matrix.language }}*.sarif" -type f 2>/dev/null | head -1)

          if [ -f "$SARIF_FILE" ]; then
            ERROR_COUNT=$(jq '[.runs[].results[] | select(.level == "error")] | length' "$SARIF_FILE" 2>/dev/null || echo 0)

            if [ "$ERROR_COUNT" -gt 0 ]; then
              echo "::error::CodeQL found $ERROR_COUNT high-severity security issues. Fix before merging."
              exit 1
            fi
          fi