Add comprehensive security scanning workflows for Python

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,192 @@
+name: "CodeQL Security Analysis"
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+  schedule:
+    # Run CodeQL analysis weekly on Mondays at 2 AM UTC
+    - cron: '0 2 * * 1'
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'python' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
+      with:
+        languages: ${{ matrix.language }}
+        # Override default queries to include security-extended for more comprehensive analysis
+        queries: security-extended,security-and-quality
+
+    - name: Setup Python 3.11
+      uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+      with:
+        python-version: '3.11'
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install tox setuptools wheel
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
+      with:
+        category: "/language:${{matrix.language}}"
+        upload: false  # Don't upload to avoid conflict with default setup
+
+  dependency-scan:
+    name: Python Dependency Scan
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+    - name: Setup Python 3.11
+      uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+      with:
+        python-version: '3.11'
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install tox setuptools wheel
+
+    - name: Install and run Safety
+      continue-on-error: true
+      run: |
+        # Install Safety for Python dependency vulnerability scanning
+        pip install safety==3.2.8
+
+        # Generate requirements from setup.py
+        pip install -e .
+        pip freeze > requirements-frozen.txt
+
+        # Run Safety scan and generate JSON report
+        safety check --json --output safety-results.json || echo "Safety scan completed"
+
+    - name: Install and run pip-audit
+      continue-on-error: true
+      run: |
+        # Install pip-audit for comprehensive Python package vulnerability scanning
+        pip install pip-audit==2.7.3
+
+        # Run pip-audit and generate SARIF
+        pip-audit --format=sarif --output=pip-audit-results.sarif . || echo "pip-audit scan completed"
+
+    - name: Install and run Bandit
+      continue-on-error: true
+      run: |
+        # Install Bandit for Python security linting
+        pip install bandit[toml]==1.7.10
+
+        # Run Bandit security analysis and generate SARIF
+        bandit -r aws_xray_sdk/ -f sarif -o bandit-results.sarif || echo "Bandit scan completed"
+
+    - name: Upload pip-audit results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
+      if: always() && hashFiles('pip-audit-results.sarif') != ''
+      with:
+        sarif_file: pip-audit-results.sarif
+        category: 'pip-audit'
+
+    - name: Upload Bandit results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
+      if: always() && hashFiles('bandit-results.sarif') != ''
+      with:
+        sarif_file: bandit-results.sarif
+        category: 'bandit-security'
+
+    - name: Upload dependency reports
+      uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+      if: always()
+      with:
+        name: dependency-reports
+        path: |
+          safety-results.json
+          pip-audit-results.sarif
+          bandit-results.sarif
+          requirements-frozen.txt
+
+  security-scan:
+    name: Python Security Scan
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+    - name: Setup Python 3.11
+      uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+      with:
+        python-version: '3.11'
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install tox setuptools wheel
+        pip install -e .
+
+    - name: Run Semgrep security analysis
+      continue-on-error: true
+      run: |
+        # Install Semgrep
+        python -m pip install semgrep==1.88.0
+
+        # Run Semgrep with Python security rules
+        semgrep --config=auto --sarif --output=semgrep-results.sarif . || echo "Semgrep scan completed"
+
+    - name: Run Pylint security checks
+      continue-on-error: true
+      run: |
+        # Install Pylint with security plugins
+        pip install pylint==3.3.1 pylint-django==2.6.1
+
+        # Run Pylint with security-focused checks
+        pylint --load-plugins=pylint.extensions.bad_builtin,pylint.extensions.check_elif,pylint.extensions.comparetozero,pylint.extensions.consider_ternary_expression,pylint.extensions.docparams,pylint.extensions.empty_comment,pylint.extensions.eq_without_hash,pylint.extensions.for_any_all,pylint.extensions.mccabe,pylint.extensions.no_self_use,pylint.extensions.overlapping_exceptions,pylint.extensions.private_import,pylint.extensions.redefined_loop_name,pylint.extensions.redefined_variable_type,pylint.extensions.set_membership,pylint.extensions.typing,pylint.extensions.while_used --output-format=json aws_xray_sdk/ > pylint-results.json || echo "Pylint scan completed"
+
+    - name: Run mypy type checking
+      continue-on-error: true
+      run: |
+        # Install mypy for static type checking
+        pip install mypy==1.13.0
+
+        # Run mypy type checking (security-relevant for type safety)
+        mypy aws_xray_sdk/ --ignore-missing-imports --json-report mypy-report || echo "mypy scan completed"
+
+    - name: Upload Semgrep results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
+      if: always() && hashFiles('semgrep-results.sarif') != ''
+      with:
+        sarif_file: semgrep-results.sarif
+        category: 'semgrep-security'
+
+    - name: Upload security analysis reports
+      uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+      if: always()
+      with:
+        name: security-analysis-reports
+        path: |
+          semgrep-results.sarif
+          pylint-results.json
+          mypy-report/