Skip to content

chore(ci): govulncheck - use official golang/govulncheck-action for SARIF analysis#4599

Merged
darccio merged 10 commits into
mainfrom
kakkoyun/govulncheck-action-allowlist
Apr 28, 2026
Merged

chore(ci): govulncheck - use official golang/govulncheck-action for SARIF analysis#4599
darccio merged 10 commits into
mainfrom
kakkoyun/govulncheck-action-allowlist

Conversation

@kakkoyun

Copy link
Copy Markdown
Member

What does this PR do?

Replaces the manual go install govulncheck@latest + govulncheck -format sarif in the govulncheck-analysis job with the official golang/[email protected] maintained by the Go Security Team.

This PR will fail CI because golang/govulncheck-action is blocked by the DataDog enterprise action allowlist. It internally uses actions/[email protected] and actions/[email protected] which are not in the allowlist. This PR exists to start the discussion for adding it.

Motivation

The official Go Security Team action provides:

  • Automatic govulncheck version management — always uses the latest govulncheck without manual go install maintenance
  • Built-in SARIF output with the correct schema, handling the --format sarif flag internally
  • Less workflow code — one step instead of three (setup-go + go install + govulncheck)
  • Official support from the Go team — bug fixes and improvements flow in automatically

The manual approach (from #4595) works correctly but requires us to maintain the invocation ourselves.

Note: The govulncheck-tests job (blocking CI check) retains direct invocation via the sandboxed-step from #4598, since golang/govulncheck-action doesn't support the multi-module scanning pattern needed for the 65+ contrib modules.

CI failure context

When we first tried this action in #4595, CI failed with:

"The actions actions/[email protected] and actions/[email protected] are not allowed in DataDog/dd-trace-go because all actions must be from a repository owned by your enterprise, created by GitHub, verified in the GitHub Marketplace, or match one of the patterns..."

The action itself is from the golang GitHub org (official Go project). The only blocker is that its internal transitive dependency on older SHA-pinned action versions triggers the allowlist check.

To merge this PR: request adding golang/govulncheck-action to the DataDog enterprise GitHub Actions allowlist.

References

Reviewer's Checklist

  • N/A — CI/workflow-only change, no Go code modified

@datadog-prod-us1-4

datadog-prod-us1-4 Bot commented Mar 25, 2026

Copy link
Copy Markdown

Tests

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 61.22% (+3.99%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 735339d | Docs | Datadog PR Page | Give us feedback!

@codecov

codecov Bot commented Mar 25, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 61.94%. Comparing base (1f7ab1c) to head (735339d).

Additional details and impacted files

see 443 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@kakkoyun kakkoyun changed the title ci(govulncheck): use official golang/govulncheck-action for SARIF analysis chore(ci): govulncheck - use official golang/govulncheck-action for SARIF analysis Mar 25, 2026
@kakkoyun kakkoyun added the AI Assisted AI/LLM assistance used in this PR (partially or fully) label Mar 25, 2026
@pr-commenter

pr-commenter Bot commented Mar 25, 2026

Copy link
Copy Markdown

Benchmarks

Benchmark execution time: 2026-04-28 12:11:25

Comparing candidate commit 735339d in PR branch kakkoyun/govulncheck-action-allowlist with baseline commit 1f7ab1c in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 243 metrics, 8 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

  • 🟩 = significantly better candidate vs. baseline
  • 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'

@kakkoyun
kakkoyun force-pushed the kakkoyun/govulncheck-sandboxed-step branch from 42b3d61 to f5cf6b9 Compare March 26, 2026 10:10
@kakkoyun
kakkoyun force-pushed the kakkoyun/govulncheck-action-allowlist branch from 4ba424d to b8999e7 Compare March 26, 2026 10:19
kakkoyun added a commit that referenced this pull request Mar 27, 2026
…#4605)

## Why

The `govulncheck-analysis` job (non-blocking SARIF upload) only scanned
core packages. Contrib module vulnerabilities were caught by
`govulncheck-tests` (blocking, sandboxed) but never appeared in the
GitHub Security tab / Code Scanning. This created a gap: a contrib CVE
would fail the PR check but leave no trace in the Security dashboard.

This PR closes that gap by adding a parallel non-blocking
`govulncheck-contribs-analysis` job that scans every contrib module and
uploads results to GitHub Code Scanning.

## What

- **New script**: `govulncheck-contribs-sarif.sh` — mirrors
`govulncheck-contribs-v2.sh` but uses `-format sarif`. It scans each
contrib module, writes a per-module SARIF file to a temp directory, then
merges all runs into a single output file via `jq`.
- **New job**: `govulncheck-contribs-analysis` — sets up Go, installs
govulncheck, runs the script, and uploads the merged SARIF under the
`govulncheck-contribs` category.
- **Updated comment** in `govulncheck-analysis`: replaces the `TODO`
with a reference to the new job.
- **Updated `paths` filter**: adds `govulncheck-contribs-sarif.sh` so
changes to the script trigger the workflow.

## Design decisions

**Why merge SARIF with `jq` instead of uploading per-module files?**
The `upload-sarif` action accepts a directory, but uploading N files
(one per contrib module) would create N separate tool runs in Code
Scanning, making the Security tab noisy. Merging runs into one SARIF
file keeps results grouped under a single `govulncheck-contribs`
category.

**Why not sandbox this job?**
The `govulncheck-contribs-analysis` job is non-blocking and
informational, consistent with `govulncheck-analysis`. The sandboxed
`govulncheck-tests` job provides the security boundary for blocking
checks.

## Stack

This PR is part of a stack:

```
main
 └── #4595 kakkoyun/govulncheck (base)
      └── #4597 kakkoyun/govulncheck-persist-credentials
           └── #4598 kakkoyun/govulncheck-sandboxed-step
                └── #4599 kakkoyun/govulncheck-action-allowlist
                     └── this PR kakkoyun/govulncheck-contrib-sarif
```

Merge order: #4595#4597#4598#4599 → this PR.

## Test plan

- [ ] CI passes on this branch (all three jobs green)
- [ ] `govulncheck-contribs-analysis` job appears in the Actions run
- [ ] SARIF upload succeeds (check `upload-sarif` step output)
- [ ] GitHub Security tab shows findings under `govulncheck-contribs`
category after merge to main
@kakkoyun
kakkoyun force-pushed the kakkoyun/govulncheck-sandboxed-step branch from f5cf6b9 to aa79d34 Compare March 27, 2026 11:13
@kakkoyun
kakkoyun force-pushed the kakkoyun/govulncheck-action-allowlist branch from 528e489 to ddeee11 Compare March 27, 2026 11:16
@kakkoyun
kakkoyun marked this pull request as ready for review April 22, 2026 13:10
@kakkoyun
kakkoyun requested a review from a team as a code owner April 22, 2026 13:10
@kakkoyun
kakkoyun changed the base branch from kakkoyun/govulncheck-sandboxed-step to main April 22, 2026 13:16
@kakkoyun
kakkoyun force-pushed the kakkoyun/govulncheck-action-allowlist branch from 9341efc to 354b2c9 Compare April 22, 2026 13:35

@darccio darccio left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Let me run Codex on it.

@darccio

darccio commented Apr 22, 2026

Copy link
Copy Markdown
Member

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 354b2c918d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/govulncheck.yml
Comment thread .github/workflows/apps/govulncheck-contribs-sarif.sh
@kakkoyun
kakkoyun force-pushed the kakkoyun/govulncheck-action-allowlist branch from 354b2c9 to a166b58 Compare April 22, 2026 14:13
@kakkoyun
kakkoyun requested a review from TamaraLewis April 23, 2026 08:37
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@kakkoyun
kakkoyun force-pushed the kakkoyun/govulncheck-action-allowlist branch 2 times, most recently from 0221ec2 to 57fdbff Compare April 23, 2026 08:56
@kakkoyun

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 74bccce83a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

"version": .[0].version,
"$schema": (.[0]."$schema" // ""),
"runs": [{
"tool": .[0].runs[0].tool,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Merge rule metadata from every SARIF run

When a vulnerability is reported only by a contrib module after the first scanned module, its result.ruleId is defined in that module's tool.driver.rules, but the merged SARIF keeps only the first file's tool. The resulting upload can contain findings whose rule descriptors are absent, so GitHub Code Scanning loses the govulncheck title/help metadata for those contrib alerts. Please merge and dedupe runs[].tool.driver.rules from all inputs along with results.

Useful? React with 👍 / 👎.

…lysis

Replace manual go install + govulncheck -format sarif with the official
Go Security Team action. The action handles Go setup internally and
always installs the latest govulncheck.

Pin to upstream master (commit 31f7c546, 2026-02-26) rather than v1.0.4.
The v1.0.4 release references its transitive actions (actions/checkout,
actions/setup-go) by tag, which fails enterprise repos that enforce
full SHA pinning for all workflow dependencies. Master fixed this in
31f7c546 by pinning actions/checkout@de0fac2e (v6.0.2) and
actions/setup-go@7a3fe6cf (v6.2.0) to full commit SHAs. Upstream has
not yet tagged a v1.0.5 release containing this fix — revisit to pin
to a stable release tag once available.

Ref: https://github.com/golang/govulncheck-action
Ref: golang/govulncheck-action@31f7c54
Signed-off-by: Kemal Akkoyun <[email protected]>
Add govulncheck-contribs-analysis job that scans each contrib module
(each with its own go.mod) with govulncheck in SARIF format, merges
the per-module results into a single SARIF file via jq, and uploads it
to GitHub Code Scanning under a distinct 'govulncheck-contribs' category.

This resolves the gap where contrib vulnerabilities were caught by the
blocking govulncheck-tests job but never appeared in the Security tab.
Both core and contrib findings are now visible in GitHub Code Scanning.

The new govulncheck-contribs-sarif.sh mirrors the logic of the existing
govulncheck-contribs-v2.sh but uses -format sarif and merges outputs.

Signed-off-by: Kemal Akkoyun <[email protected]>
Replace the find-based module discovery in govulncheck-contribs-sarif.sh
and govulncheck-contribs-v2.sh with a grep over go.work.

The find command (-mindepth 2, no -maxdepth) was picking up nested
test-only go.mod files such as:
  contrib/aws/datadog-lambda-go/test/integration_tests/error/go.mod

These directories are not workspace members and not scannable as
standalone modules — govulncheck exits 1 with:
  "main module does not contain package ..."

go.work is the authoritative list of workspace modules and naturally
excludes nested test dirs. govulncheck-contribs-v2.sh had the same
latent bug but swallowed it silently (no set -e); govulncheck-contribs-sarif.sh
surfaced it because it uses set -euo pipefail.

Signed-off-by: Kemal Akkoyun <[email protected]>
CodeQL upload-sarif rejects files containing multiple runs under the
same category since July 2025 (see GitHub changelog 2025-07-21).

The previous jq expression used '[.[].runs[]]' which produced N runs
(one per contrib module). Replace with a single run whose results array
is the union of all per-module results:

  runs[0].tool  — shared govulncheck tool descriptor (same across all)
  results[]?    — all findings merged; '?' handles modules with no findings

govulncheck emits URI-based physicalLocation (not index-based), so
merging results across runs requires no artifact re-indexing.

Signed-off-by: Kemal Akkoyun <[email protected]>
- Add repo-checkout: false to golang/govulncheck-action to prevent the
  action from re-checking out the repo with default credentials/ref,
  which would diverge from inputs.ref on workflow_call.
- Rewrite SARIF URIs to be repo-root-relative before merging: capture
  module_dir before fallback dir rewrite, prefix each %SRCROOT%-relative
  URI with the module path, and drop uriBaseId so Code Scanning
  annotations resolve to the correct files in the merged single-run output.

Signed-off-by: Kemal Akkoyun <[email protected]>
Each per-module govulncheck SARIF file only carries the rules referenced
by its own results. The previous merge kept only .[0].runs[0].tool,
dropping rule descriptors (title, help text) for vulnerabilities found
exclusively in modules scanned after the first.

Collect rules from all runs and deduplicate by id so every ruleId
referenced in the merged results has a corresponding descriptor in
tool.driver.rules.

Signed-off-by: Kemal Akkoyun <[email protected]>
@kakkoyun
kakkoyun force-pushed the kakkoyun/govulncheck-action-allowlist branch from 74bccce to 2aeaf4b Compare April 23, 2026 10:00
@kakkoyun
kakkoyun requested a review from darccio April 23, 2026 10:01
Comment thread .github/workflows/govulncheck.yml
kakkoyun and others added 2 commits April 27, 2026 17:53
Generate an OpenVEX govulncheck report for the core scan, patch the default author and product values, and publish the result as a workflow artifact for security review.
@kakkoyun

Copy link
Copy Markdown
Member Author

@codex review

Resolve the checked-out module through go list at HEAD so the OpenVEX product PURL contains either the release tag or Go pseudo-version for the scanned commit.
@kakkoyun
kakkoyun requested a review from TamaraLewis April 27, 2026 16:15

@TamaraLewis TamaraLewis left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good

@darccio
darccio merged commit 686e98e into main Apr 28, 2026
212 of 218 checks passed
@darccio
darccio deleted the kakkoyun/govulncheck-action-allowlist branch April 28, 2026 14:16
gh-worker-dd-mergequeue-cf854d Bot pushed a commit that referenced this pull request May 12, 2026
### What does this PR do?

Runs the highest-risk dependency/toolchain CI paths inside [`geomys/sandboxed-step`](https://github.com/geomys/sandboxed-step), pinned to `v1.2.1`'s immutable SHA for the repo's SHA-pinning policy.

Concretely, this PR:

- wraps blocking govulncheck execution in a gVisor sandbox
- adds sandboxed contrib-module SARIF generation for GitHub Code Scanning
- keeps the official `golang/govulncheck-action` for core SARIF analysis from #4599
- wraps smoke-test `go get -u` / requested `go-libddwaf` dependency upgrade compilation in a sandbox
- wraps contrib smoke tests that run `go get -u` before tests in a sandbox
- wraps gotip testing, where CI downloads and runs the latest Go toolchain, in a sandbox
- restores/cleans workspaces after sandboxed steps before any upload/token-consuming follow-up steps, preserving only required reports, coverage, or SARIF artifacts

### Motivation

`go get -u`, `go install ...@latest`, `gotip download`, and govulncheck all intentionally pull and execute code from outside this repository. That is exactly the class of CI work where sandboxing helps: it strips most of the ambient authority that a GitHub-hosted runner otherwise gives to dependency code.

This builds on the checkout hardening already in the workflows (`persist-credentials: false`) by also isolating the execution environment with gVisor.

### Notes on implementation

- `geomys/sandboxed-step` is pinned by commit SHA because this repository has `sha_pinning_required: true` for GitHub Actions.
- Steps that need artifacts after sandbox execution use `persist-workspace-changes: 'true'`, then immediately run `git reset --hard` and `git clean -fdx` with narrow exclusions for the required output files.
- Govulncheck tools are installed into `${GITHUB_WORKSPACE}/bin` inside the sandbox so subsequent commands in the same sandboxed step can find them on `PATH`.

### Validation

Local:

- `make lint/action`
- `make -C .github/workflows test-apps.yml && git diff --exit-code -- .github/workflows/test-apps.yml`
- `bash -n scripts/ci_test_contrib.sh scripts/ci_test_core.sh scripts/install_tools.sh scripts/lint.sh`
- `git diff --check`
- YAML parse checks with `yq`

CI/manual runs:

- Manual **Govulncheck** run passed after verifying sandbox logs, SARIF preservation, and Code Scanning upload.
- Manual **Smoke Tests** run passed, including sandboxed updated-dependency compile and sandboxed `go get -u` contrib smoke jobs.
- Manual **Gotip Testing** run passed, including sandboxed gotip download/test execution.
- Latest PR GitHub checks show no failures; only external GitLab benchmark/mergegate aggregate checks were still pending at last inspection.

### References

- [geomys/sandboxed-step](https://github.com/geomys/sandboxed-step)
- [gVisor](https://gvisor.dev/)
- [Filippo Valsorda: Turn Dependabot Off](https://words.filippo.io/dependabot/) — CI sandboxing discussion
- [PR #4595](#4595) — govulncheck workflow foundation
- [PR #4599](#4599) — official govulncheck-action SARIF analysis

### Reviewer's Checklist

- [x] N/A — CI/workflow-only change, no Go code modified


Co-authored-by: darccio <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

AI Assisted AI/LLM assistance used in this PR (partially or fully)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants