Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions .github/codeql/codeql-config.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: "CodeQL Configuration for Copilot Modernization Plugin"

# Query filters to reduce false positives for tool/utility scripts
query-filters:
# These scripts are build/analysis tools, not user-facing applications
# They process local files and don't expose network endpoints

- exclude:
id: py/shell-command-constructed-from-input
# These are CLI tools that intentionally run commands
# Input is from local file analysis, not untrusted user input

- exclude:
id: py/path-injection
# File path construction for local project analysis
# Paths are scoped to the analyzed project directory

- exclude:
id: py/clear-text-logging-sensitive-data
# Logging analysis results and build information
# No credentials or secrets are processed

# Custom queries configuration
queries:
# Use security-extended query suite for comprehensive coverage
- uses: security-extended
46 changes: 46 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
name: "CodeQL Advanced Security"

on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:
# Run weekly on Monday at 00:00 UTC
- cron: '0 0 * * 1'

jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ubuntu-latest
permissions:
# Required for all workflows
security-events: write
# Required for workflows in private repositories
contents: read
actions: read

strategy:
fail-fast: false
matrix:
language: [ 'python', 'javascript-typescript' ]

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: security-extended
config-file: ./.github/codeql/codeql-config.yml

- name: Autobuild
uses: github/codeql-action/autobuild@v3

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ matrix.language }}"
upload: true
Loading