-
Notifications
You must be signed in to change notification settings - Fork 1
103 lines (93 loc) · 4.02 KB
/
codeql.yml
File metadata and controls
103 lines (93 loc) · 4.02 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
name: "CodeQL"
on:
push:
branches:
- main
pull_request:
branches:
- main
schedule:
# Weekly scan on Sunday at 1:00 UTC (after security.yml at 0:00)
- cron: "0 1 * * 0"
workflow_dispatch:
# Allow manual trigger
permissions:
contents: read
security-events: write
actions: read
jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ubuntu-latest
timeout-minutes: 10
strategy:
fail-fast: false
matrix:
language:
- javascript-typescript
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
# Use default queries plus security-extended
queries: security-extended,security-and-quality
# Use custom config to handle SPARQL 1.1 spec-required patterns
config-file: ./.github/codeql/codeql-config.yml
# Note: For JavaScript/TypeScript, CodeQL can analyze source directly
# without autobuild. Skipping autobuild prevents analysis of generated
# bundled files (main.js) which contain third-party library code.
- name: Perform CodeQL Analysis
id: analyze
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ matrix.language }}"
# Disable auto-upload so we can filter first
upload: false
# Output SARIF file for post-processing
output: sarif-results
# Filter out known false positives before uploading:
# - BuiltInFunctions.ts: MD5/SHA1 and RAND() usage in SPARQL is required by W3C spec
# - FilterExecutor.ts: Calls RAND() function - same SPARQL 1.1 spec compliance
# - main.js: Bundled file with minified third-party code (reflect-metadata, etc.)
# Alerts from main.js are filtered because the bundled output includes polyfills
# and minified library code where patterns like unreachable statements, hoisted
# var declarations, trivial conditionals, and unneeded defensive code are valid
# optimization artifacts from esbuild's CommonJS/ESM interop helpers
# Filter out known false positives before uploading.
# Test files: TypeScript decorators (@inject) are stripped in compiled JS,
# making constructor calls appear to have "superfluous" arguments when
# tests pass mock dependencies directly - this is valid DI testing pattern.
- name: Filter SARIF for known false positives
uses: advanced-security/filter-sarif@v1
with:
patterns: |
-**/BuiltInFunctions.ts:js/weak-cryptographic-algorithm
-**/BuiltInFunctions.ts:js/insecure-randomness
-**/FilterExecutor.ts:js/insecure-randomness
-**/main.js:js/useless-expression
-**/main.js:js/automatic-semicolon-insertion
-**/main.js:js/trivial-conditional
-**/main.js:js/use-before-declaration
-**/main.js:js/unreachable-statement
-**/main.js:js/redundant-operation
-**/main.js:js/unneeded-defensive-code
-**/main.js:js/useless-assignment-to-local
-**/main.js:js/unused-local-variable
-**/main.js:js/comparison-between-incompatible-types
-**/*.test.ts:js/superfluous-trailing-arguments
-**/*.test.ts:js/unused-local-variable
-**/*.test.tsx:js/unused-local-variable
-**/tests/**:js/unused-local-variable
-**/specs/**:js/unused-local-variable
-**/specs/**:js/comparison-between-incompatible-types
-scripts/*:js/unused-local-variable
input: ${{ steps.analyze.outputs.sarif-output }}/javascript.sarif
output: ${{ steps.analyze.outputs.sarif-output }}/javascript.sarif
- name: Upload filtered SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.analyze.outputs.sarif-output }}
category: "/language:${{ matrix.language }}"