Skip to content

fix(CodeQL Go scan): bump Go to 1.22.5 and add wrapper-script tracer #198

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nechvatalp merged 5 commits into from
Jun 10, 2026
+32 −6
Merged

fix(CodeQL Go scan): bump Go to 1.22.5 and add wrapper-script tracer #198

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
fdd3939
update Go toolchain version to 1.22.5 for CodeQL compatibility
imenkov Jun 9, 2026
37f8f8b
add CGO_ENABLED variable to disable cgo for pure-Go runtime
imenkov Jun 9, 2026
4f6b041
refactor: rename job to codeql and update CodeQL task inputs
imenkov Jun 9, 2026
d0c0d2e
fix: add CodeQL Go wrapper script to address static binary issue with…
imenkov Jun 9, 2026
46a0e43
fix: update CodeQL workaround comments for clarity and accuracy
imenkov Jun 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 32 additions & 6 deletions azure-pipelines.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,15 +28,24 @@ extends:
stages:
- stage: stage
jobs:
- job: job
- job: codeql
pool:
name: 1ES-Shared-Hosted-Pool_Linux-Mariner-2
os: linux
vmImage: 'ubuntu-latest'
variables:
# The Mariner-2 hosted agent has no C toolchain / libc headers, so
# cgo-enabled builds fail with "stdlib.h: No such file or directory".
# This repo is pure Go, so disable cgo to use the pure-Go runtime.
CGO_ENABLED: 0
steps:
# Bumped to a Go toolchain supported by the CodeQL Go extractor (>= 1.21).
# The repo's modules still declare `go 1.12` in go.mod, so library
# consumers on older Go are unaffected -- this is a build-time toolchain
# only and no source changes are required.
- task: GoTool@0
inputs:
version: '1.13.5'
version: '1.22.5'
- task: Go@0
inputs:
command: 'get'
Expand All @@ -46,7 +55,24 @@ extends:
inputs:
command: 'clean'
workingDirectory: '$(System.DefaultWorkingDirectory)/azuredevops'
- task: Go@0
inputs:
command: 'build'
workingDirectory: '$(System.DefaultWorkingDirectory)/azuredevops'
# Static-binary workaround for CodeQL + Go >= 1.21 on Linux.
# Go 1.21 made the toolchain statically linked, so the CodeQL Go
# the database ends up empty. The fix is to put a thin extractor's
# preload tracer can no longer intercept `go` calls and wrapper script
# ahead of the real `go` on PATH and invoke `go build` from the SAME script step
Comment on lines +59 to +62
- bash: |
set -euo pipefail
WORKAROUND_DIR="$AGENT_TEMPDIRECTORY/codeql-go-tracing"
mkdir -p "$WORKAROUND_DIR"
WHICH_GO="$(which go)"
cat > "$WORKAROUND_DIR/go" <<EOF
#!/bin/bash
exec "$WHICH_GO" "\$@"
Comment on lines +67 to +70
EOF
chmod +x "$WORKAROUND_DIR/go"
export PATH="$WORKAROUND_DIR:$PATH"
echo "Using go wrapper at: $(which go)"
go version
go build ./...
workingDirectory: '$(System.DefaultWorkingDirectory)/azuredevops'
displayName: 'CodeQL Go wrapper + build (azuredevops module)'
Loading