CodeQL Security Analysis #1364

	name: "CodeQL Security Analysis"

	on:
	push:
	branches: [ main, develop ]
	pull_request:
	branches: [ main, develop ]
	schedule:
	# Run CodeQL analysis daily at 3 AM UTC for comprehensive security scanning
	- cron: '0 3 * * *'

	jobs:
	analyze:
	name: CodeQL Security Analysis
	runs-on: ubuntu-latest
	timeout-minutes: 360
	permissions:
	actions: read
	contents: read
	security-events: write

	strategy:
	fail-fast: false
	matrix:
	language: [ 'go' ]

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version: '1.25'
	cache: true

	- name: Cache Go modules
	uses: actions/cache@v4
	with:
	path: \|
	~/.cache/go-build
	~/go/pkg/mod
	key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
	restore-keys: \|
	${{ runner.os }}-go-

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v3
	with:
	languages: ${{ matrix.language }}
	config-file: ./.github/codeql/codeql-config.yml
	queries: +security-and-quality,security-experimental

	- name: Download dependencies
	run: \|
	go mod download
	go mod verify

	- name: Build project for CodeQL analysis
	run: \|
	# Build all packages to ensure comprehensive analysis
	go build -v ./...
	# Build main application
	go build -o eos-build ./cmd/

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v3
	with:
	category: "/language:${{matrix.language}}"
	upload: true

	- name: Upload CodeQL results as artifact
	uses: actions/upload-artifact@v4
	if: always()
	with:
	name: codeql-results-${{ matrix.language }}
	path: /home/runner/work/_temp/codeql_databases/

Provide feedback