-
Notifications
You must be signed in to change notification settings - Fork 0
100 lines (89 loc) · 4.19 KB
/
codeql.yml
File metadata and controls
100 lines (89 loc) · 4.19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# ═══════════════════════════════════════════════════════════════════════════════
# CodeQL Security Analysis — Static Application Security Testing (SAST)
# ═══════════════════════════════════════════════════════════════════════════════
# Scans JavaScript/TypeScript for vulnerability patterns:
# • SQL / NoSQL injection • Unsafe deserialization
# • Server-side request forgery (SSRF) • Dangerous eval / code injection
# • Path traversal • Cryptographic misuse
# • Incomplete URL validation • Regex denial of service (ReDoS)
#
# Triggers: every push to main, every PR to main, weekly Monday 06:00 UTC.
# Weekly scheduled scan catches vulnerabilities introduced by dependency
# updates that land outside normal PR flow (e.g. Dependabot auto-merge).
#
# Results appear in GitHub Security → Code scanning alerts.
# ═══════════════════════════════════════════════════════════════════════════════
name: CodeQL Security Analysis
on:
push:
branches: [main]
paths:
- "frontend/**"
- ".github/workflows/**"
- "**.js"
- "**.ts"
- "**.tsx"
pull_request:
branches: [main]
# No paths filter — the code_scanning ruleset rule requires CodeQL to
# report results for every PR commit. On non-code PRs the analysis
# completes in seconds (nothing to scan) and uploads an empty SARIF.
schedule:
# Weekly Monday 06:00 UTC — catches drift from auto-merged deps
- cron: "0 6 * * 1"
permissions:
actions: read
contents: read
security-events: write # Required to upload SARIF results
concurrency:
group: codeql-${{ github.ref }}
cancel-in-progress: true
jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ubuntu-latest
timeout-minutes: 15
strategy:
fail-fast: false
matrix:
language: ["javascript-typescript"]
# Python analysis is available but our Python code is pipeline-only
# (not deployed). Add "python" here if pipeline code becomes critical.
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Initialize CodeQL
uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
with:
languages: ${{ matrix.language }}
# Extended queries catch more issues at cost of some false positives.
# security-extended is the sweet spot for production codebases.
queries: security-extended
# Trap directory for build tracing
config: |
paths-ignore:
- "node_modules"
- ".next"
- "coverage"
- "playwright-report"
- "test-results"
- "**/*.test.ts"
- "**/*.test.tsx"
- "**/*.spec.ts"
- name: Autobuild
uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
with:
category: "/language:${{ matrix.language }}"
# Upload results to GitHub Security tab
upload: always
- name: Summary
if: ${{ !cancelled() }}
run: |
echo "## CodeQL Security Analysis" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "Language: **${{ matrix.language }}**" >> "$GITHUB_STEP_SUMMARY"
echo "Query suite: **security-extended**" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "Results: [Security → Code scanning](https://github.com/${{ github.repository }}/security/code-scanning)" >> "$GITHUB_STEP_SUMMARY"