Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
109 changes: 109 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
name: CodeQL

# Standalone CodeQL workflow (split out of build-test.yml so security analysis
# evolves independently of the build/test pipeline and shows as its own
# PR check). Third-party actions pinned to commit SHAs — see build-test.yml header.

# nginx version is resolved at run time (see "Resolve latest mainline nginx"
# step) rather than pinned, so this analysis tracks current mainline.

env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
NGINX_VERSION: ""

on:
push:
branches: [master, main, dev]
pull_request:
branches: [master, main]
schedule:
# Monthly, day 1 @ 04:47 UTC (staggered per repo like ci-deep).
- cron: "47 4 1 * *"
workflow_dispatch: {}

concurrency:
group: codeql-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read

jobs:
codeql:
name: CodeQL
runs-on: ubuntu-latest
timeout-minutes: 30
permissions:
contents: read
security-events: write

steps:
- name: Checkout module
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5

- name: Resolve latest mainline nginx
run: |
set -euo pipefail
ver=$(curl -fsSL https://nginx.org/en/download.html \
| grep -oP 'nginx-\K[0-9]+\.[0-9]+\.[0-9]+(?=\.tar\.gz)' \
| sort -V | tail -1)
if [ -z "$ver" ]; then
echo "::error::could not resolve mainline nginx version from nginx.org"
exit 1
fi
echo "Resolved nginx mainline: $ver"
echo "NGINX_VERSION=$ver" >> "$GITHUB_ENV"

- name: Install build dependencies
run: |
sudo apt-get update
sudo apt-get install -y build-essential pkg-config libzstd-dev \
libpcre2-dev zlib1g-dev wget

- name: Cache nginx source tarball
id: nginx-tarball
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: nginx-${{ env.NGINX_VERSION }}.tar.gz
key: nginx-src-${{ env.NGINX_VERSION }}

- name: Download nginx source tarball
if: steps.nginx-tarball.outputs.cache-hit != 'true'
run: wget -q "https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz"

- name: Initialize CodeQL
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
with:
languages: c-cpp
queries: security-extended
paths: |
filter
static
*.c
*.h
paths-ignore: |
nginx-*

- name: Build module sources for CodeQL
run: |
tar -xzf "nginx-${NGINX_VERSION}.tar.gz"
cd "nginx-${NGINX_VERSION}"
# --add-module (static) compiles the zstd module objects INTO the
# nginx binary, so a full `make` is what the CodeQL tracer sees.
# `make modules` only builds --add-dynamic-module .so targets and
# leaves the static add-module untouched, which is why CodeQL
# reported "no source code seen during build". Do not redirect
# configure to /dev/null — a silent configure failure would also
# produce an empty CodeQL database.
./configure \
--with-compat \
--with-debug \
--with-cc-opt="-DZSTD_STATIC_LINKING_ONLY $(pkg-config --cflags libzstd zlib libpcre2-8)" \
--with-ld-opt="$(pkg-config --libs libzstd zlib libpcre2-8)" \
--add-module="$GITHUB_WORKSPACE"
make -j"$(nproc)"

- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
with:
category: "/language:c-cpp"
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
[![Fuzzing](https://github.com/myguard-labs/nginx-zstd-module/actions/workflows/fuzzing.yml/badge.svg)](https://github.com/myguard-labs/nginx-zstd-module/actions/workflows/fuzzing.yml)
[![Valgrind](https://github.com/myguard-labs/nginx-zstd-module/actions/workflows/valgrind.yml/badge.svg)](https://github.com/myguard-labs/nginx-zstd-module/actions/workflows/valgrind.yml)
[![CI Deep](https://github.com/myguard-labs/nginx-zstd-module/actions/workflows/ci-deep.yml/badge.svg)](https://github.com/myguard-labs/nginx-zstd-module/actions/workflows/ci-deep.yml)
[![CodeQL](https://github.com/myguard-labs/nginx-zstd-module/actions/workflows/codeql.yml/badge.svg)](https://github.com/myguard-labs/nginx-zstd-module/actions/workflows/codeql.yml)

📖 **Background reading:**
- [zstd nginx module: what it does, bugs fixed](https://deb.myguard.nl/2026/05/zstd-nginx-module-what-it-does-bugs-fixed/)
Expand Down
Loading