72 lines
2.4 KiB
Bash
Executable File
72 lines
2.4 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Pre-commit CodeQL Go scan - CI-aligned
|
|
set -euo pipefail
|
|
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
BLUE='\033[0;34m'
|
|
NC='\033[0m'
|
|
|
|
echo -e "${BLUE}🔍 Running CodeQL Go scan (CI-aligned)...${NC}"
|
|
echo ""
|
|
|
|
if ! command -v jq >/dev/null 2>&1; then
|
|
echo -e "${RED}❌ jq is required for CodeQL extraction metric validation${NC}"
|
|
exit 1
|
|
fi
|
|
|
|
# Clean previous database
|
|
rm -rf codeql-db-go
|
|
|
|
# Create database
|
|
echo "📦 Creating CodeQL database..."
|
|
codeql database create codeql-db-go \
|
|
--language=go \
|
|
--source-root=backend \
|
|
--codescanning-config=.github/codeql/codeql-config.yml \
|
|
--threads=0 \
|
|
--overwrite
|
|
|
|
echo ""
|
|
echo "📊 Analyzing with security-and-quality suite..."
|
|
ANALYZE_LOG=$(mktemp)
|
|
# Analyze with CI-aligned suite (mirrors codeql.yml queries: security-and-quality)
|
|
codeql database analyze codeql-db-go \
|
|
codeql/go-queries:codeql-suites/go-security-and-quality.qls \
|
|
--format=sarif-latest \
|
|
--output=codeql-results-go.sarif \
|
|
--sarif-add-baseline-file-info \
|
|
--threads=0 2>&1 | tee "$ANALYZE_LOG"
|
|
|
|
echo ""
|
|
echo "🧮 Validating extraction metric against go list baseline..."
|
|
BASELINE_COUNT=$(cd backend && go list -json ./... | jq -s 'map((.GoFiles|length)+(.CgoFiles|length))|add')
|
|
SCAN_LINE=$(grep -Eo 'CodeQL scanned [0-9]+ out of [0-9]+ Go files' "$ANALYZE_LOG" | tail -1 || true)
|
|
|
|
if [ -z "$SCAN_LINE" ]; then
|
|
rm -f "$ANALYZE_LOG"
|
|
echo -e "${RED}❌ Could not parse CodeQL extraction metric from analyze output${NC}"
|
|
echo "Expected a line like: CodeQL scanned X out of Y Go files"
|
|
exit 1
|
|
fi
|
|
|
|
EXTRACTED_COUNT=$(echo "$SCAN_LINE" | awk '{print $3}')
|
|
RAW_COUNT=$(echo "$SCAN_LINE" | awk '{print $6}')
|
|
rm -f "$ANALYZE_LOG"
|
|
|
|
if [ "$EXTRACTED_COUNT" != "$BASELINE_COUNT" ]; then
|
|
echo -e "${RED}❌ CodeQL extraction drift detected${NC}"
|
|
echo " - go list compiled-file baseline: $BASELINE_COUNT"
|
|
echo " - CodeQL extracted compiled files: $EXTRACTED_COUNT"
|
|
echo " - CodeQL raw-repo denominator: $RAW_COUNT"
|
|
echo "Resolve suite/trigger/build-tag drift before merging."
|
|
exit 1
|
|
fi
|
|
|
|
echo -e "${GREEN}✅ Extraction parity OK${NC} (compiled baseline=$BASELINE_COUNT, extracted=$EXTRACTED_COUNT, raw=$RAW_COUNT)"
|
|
|
|
echo -e "${GREEN}✅ CodeQL Go scan complete${NC}"
|
|
echo "Results saved to: codeql-results-go.sarif"
|
|
echo ""
|
|
echo "Run 'lefthook run pre-commit' (or `lefthook run pre-commit` which includes codeql-check-findings) to validate findings"
|