-
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathcodeql-config.yml
More file actions
25 lines (22 loc) · 947 Bytes
/
Copy pathcodeql-config.yml
File metadata and controls
25 lines (22 loc) · 947 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
name: CodeQL config for `hsh`
# Path filters for the CodeQL analysis. Test / example / bench / fuzz
# code legitimately carries hard-coded passwords, salts, and KDF
# parameters as fixtures — those are *not* security issues.
#
# Production code under `crates/*/src/` is analysed normally; so are
# the workflow YAMLs under `.github/workflows/` for the `actions`
# language. We use `paths-ignore` exclusively here so language
# discovery isn't restricted (a top-level `paths:` would scope
# everything to those globs, including GitHub Actions YAMLs).
paths-ignore:
- crates/*/tests/**
- crates/*/examples/**
- crates/*/benches/**
- fuzz/fuzz_targets/**
- pkg/**
# Queries are the defaults. The `rust/hard-coded-cryptographic-value`
# rule is *expected* to fire in test/example/bench/fuzz code (which is
# why we exclude those paths above); for any production-code finding
# we want the alert.
queries:
- uses: security-and-quality