1 files changed, 49 insertions, 5 deletions

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index ae5818afc..6c2c36365 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -21,6 +21,7 @@ jobs:
     outputs:
       cpp: ${{ steps.cpp.outputs.run }}
       python: ${{ steps.python.outputs.run }}
+      go: ${{ steps.go.outputs.run }}
     steps:
       - name: Clone repository
         uses: actions/checkout@v4
@@ -57,7 +58,7 @@ jobs:
         id: python
         run: |
           if [ "${{ steps.always.outputs.run }}" = "false" ]; then
-            if git diff --name-only origin/${{ github.base_ref }} HEAD | grep -Eq 'collectors/python.d.plugin/.*\.py' ; then
+            if git diff --name-only origin/${{ github.base_ref }} HEAD | grep -Eq 'src/collectors/python.d.plugin/.*\.py' ; then
               echo "run=true" >> "${GITHUB_OUTPUT}"
               echo '::notice::Python code has changed, need to run CodeQL.'
             else
@@ -66,6 +67,19 @@ jobs:
           else
             echo "run=true" >> "${GITHUB_OUTPUT}"
           fi
+      - name: Check for Go changes
+        id: go
+        run: |
+          if [ "${{ steps.always.outputs.run }}" = "false" ]; then
+            if git diff --name-only origin/${{ github.base_ref }} HEAD | grep -Eq 'src/go/*\.go' ; then
+              echo "run=true" >> "${GITHUB_OUTPUT}"
+              echo '::notice::Go code has changed, need to run CodeQL.'
+            else
+              echo "run=false" >> "${GITHUB_OUTPUT}"
+            fi
+          else
+            echo "run=true" >> "${GITHUB_OUTPUT}"
+          fi
 
   analyze-cpp:
     name: Analyze C/C++
@@ -81,7 +95,7 @@ jobs:
           submodules: recursive
           fetch-depth: 0
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v3
         with:
           languages: cpp
           config-file: ./.github/codeql/c-cpp-config.yml
@@ -90,7 +104,7 @@ jobs:
       - name: Build netdata
         run: ./netdata-installer.sh --dont-start-it --disable-telemetry --dont-wait --install-prefix /tmp/install --one-time-build
       - name: Run CodeQL
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v3
         with:
           category: "/language:cpp"
 
@@ -108,11 +122,41 @@ jobs:
           submodules: recursive
           fetch-depth: 0
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v3
         with:
           config-file: ./.github/codeql/python-config.yml
           languages: python
       - name: Run CodeQL
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v3
         with:
           category: "/language:python"
+
+  analyze-go:
+    name: Analyze Go
+    runs-on: ubuntu-latest
+    needs: prepare
+    if: needs.prepare.outputs.go == 'true'
+    strategy:
+      matrix:
+        tree:
+          - src/go/collectors/go.d.plugin
+    permissions:
+      security-events: write
+    steps:
+      - name: Git clone repository
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+          fetch-depth: 0
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: go
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+        with:
+          working-directory: ${{ matrix.tree }}
+      - name: Run CodeQL
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:go"