chore: Implement CodeQL CI Alignment and Security Scanning

- Added comprehensive QA report for CodeQL CI alignment implementation, detailing tests, results, and findings. - Created CodeQL security scanning guide in documentation, outlining usage and common issues. - Developed pre-commit hooks for CodeQL scans and findings checks, ensuring security issues are identified before commits. - Implemented scripts for running CodeQL Go and JavaScript scans, aligned with CI configurations. - Verified all tests passed, including backend and frontend coverage, TypeScript checks, and SARIF file generation.
2025-12-24 14:35:33 +00:00
parent 369182f460
commit 70bd60dbce
23 changed files with 6049 additions and 652 deletions
--- a/.github/instructions/copilot-instructions.md
+++ b/.github/instructions/copilot-instructions.md
@@ -80,12 +80,27 @@ Before proposing ANY code change or fix, you must build a mental map of the feat

 Before marking an implementation task as complete, perform the following in order:

-1. **Security Scans**: Run all security scans and ensure zero vulnerabilities.
-    - **CodeQL Go Scan**: Run VS Code task "Security: CodeQL Go Scan" for backend analysis.
-    - **CodeQL JS Scan**: Run VS Code task "Security: CodeQL JS Scan" for frontend analysis.
-    - **Trivy**: Run VS Code task "Security: Trivy Scan" for container/dependency vulnerabilities.
-    - **Results**: View SARIF output files in VS Code using the SARIF Viewer extension.
-    - **Zero high-severity findings allowed**. Medium/low findings should be documented and triaged.
+1. **Security Scans** (MANDATORY - Zero Tolerance):
+    - **CodeQL Go Scan**: Run VS Code task "Security: CodeQL Go Scan (CI-Aligned)" OR `pre-commit run codeql-go-scan --all-files`
+        - Must use `security-and-quality` suite (CI-aligned)
+        - **Zero high/critical (error-level) findings allowed**
+        - Medium/low findings should be documented and triaged
+    - **CodeQL JS Scan**: Run VS Code task "Security: CodeQL JS Scan (CI-Aligned)" OR `pre-commit run codeql-js-scan --all-files`
+        - Must use `security-and-quality` suite (CI-aligned)
+        - **Zero high/critical (error-level) findings allowed**
+        - Medium/low findings should be documented and triaged
+    - **Validate Findings**: Run `pre-commit run codeql-check-findings --all-files` to check for HIGH/CRITICAL issues
+    - **Trivy Container Scan**: Run VS Code task "Security: Trivy Scan" for container/dependency vulnerabilities
+    - **Results Viewing**:
+        - Primary: VS Code SARIF Viewer extension (`MS-SarifVSCode.sarif-viewer`)
+        - Alternative: `jq` command-line parsing: `jq '.runs[].results' codeql-results-*.sarif`
+        - CI: GitHub Security tab for automated uploads
+    - **⚠️ CRITICAL:** CodeQL scans are NOT run by default pre-commit hooks (manual stage for performance). You MUST run them explicitly via VS Code tasks or pre-commit manual commands before completing any task.
+    - **Why:** CI enforces security-and-quality suite and blocks HIGH/CRITICAL findings. Local verification prevents CI failures and ensures security compliance.
+    - **CI Alignment:** Local scans now use identical parameters to CI:
+        - Query suite: `security-and-quality` (61 Go queries, 204 JS queries)
+        - Database creation: `--threads=0 --overwrite`
+        - Analysis: `--sarif-add-baseline-file-info`

 2. **Pre-Commit Triage**: Run `pre-commit run --all-files`.
    - If errors occur, **fix them immediately**.