fix(CodeQL Go scan): bump Go to 1.22.5 and add wrapper-script tracer#198
Merged
Conversation
imenkov
changed the title
imenkov
changed the title
Rimobul
previously approved these changes
Jun 10, 2026
apudovkin-ms
approved these changes
Jun 10, 2026
There was a problem hiding this comment.
Pull request overview
Updates the Azure Pipelines configuration to make CodeQL’s Go extraction work reliably for this repository by using a supported Go toolchain and ensuring the CodeQL tracer can observe go build executions across all packages.
Changes:
- Bump the pipeline Go toolchain from 1.13.5 to 1.22.5 to satisfy CodeQL Go extractor requirements.
- Disable cgo at the job level (
CGO_ENABLED: 0) to avoid toolchain/header issues on the Mariner-2 hosted agent. - Replace the Go build task with a single Bash step that installs a
gowrapper onPATHand runsgo build ./...to cover all subpackages.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+59
to
+62
| # Go 1.21 made the toolchain statically linked, so the CodeQL Go | ||
| # the database ends up empty. The fix is to put a thin extractor's | ||
| # preload tracer can no longer intercept `go` calls and wrapper script | ||
| # ahead of the real `go` on PATH and invoke `go build` from the SAME script step |
Comment on lines
+67
to
+70
| WHICH_GO="$(which go)" | ||
| cat > "$WORKAROUND_DIR/go" <<EOF | ||
| #!/bin/bash | ||
| exec "$WHICH_GO" "\$@" |
| EOF | ||
| chmod +x "$WORKAROUND_DIR/go" | ||
| export PATH="$WORKAROUND_DIR:$PATH" | ||
| echo "Using go wrapper at: $(which go)" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix for CodeQL Go scanning for this repo, which has been producing empty databases (
No source code was built for goin CodeQL Finalize).Root causes
GoTool@0to1.13.5, but the CodeQL Go extractor requires Go ≥ 1.21.gobinary, so even with a working extractor, no Go source was being captured.stdlib.h: No such file or directory.Go@0 command: buildonly built the rootazuredevopspackage, leaving the ~70 subpackages out of the database.Changes
All edits are scoped to azure-pipelines.yml:
go 1.12ingo.mod, so SDK consumers are unaffected).CGO_ENABLED: 0so the pure-Go runtime is used on the Mariner-2 agent.bash:task that:goin$AGENT_TEMPDIRECTORY/codeql-go-tracing.PATHso the CodeQL preload tracer can intercept invocations.go build ./...from the same script step, covering every package in theazuredevopsmodule.