akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 14 Packages Projects Releases Wiki Activity

chore: Implement CodeQL CI Alignment and Security Scanning

Browse Source 
- Added comprehensive QA report for CodeQL CI alignment implementation, detailing tests, results, and findings.
- Created CodeQL security scanning guide in documentation, outlining usage and common issues.
- Developed pre-commit hooks for CodeQL scans and findings checks, ensuring security issues are identified before commits.
- Implemented scripts for running CodeQL Go and JavaScript scans, aligned with CI configurations.
- Verified all tests passed, including backend and frontend coverage, TypeScript checks, and SARIF file generation.
This commit is contained in:
GitHub Actions
2025-12-24 14:35:33 +00:00
parent 369182f460
commit 70bd60dbce
23 changed files with 6049 additions and 652 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
.vscode/tasks.json vendored
View File

@@ -150,19 +150,68 @@
"problemMatcher": []
},
{
"label": "Security: CodeQL Go Scan",
"label": "Security: CodeQL Go Scan (DEPRECATED)",
"type": "shell",
"command": "codeql database create codeql-db-go --language=go --source-root=backend --overwrite && codeql database analyze codeql-db-go /projects/codeql/codeql/go/ql/src/codeql-suites/go-security-extended.qls --format=sarif-latest --output=codeql-results-go.sarif",
"group": "test",
"problemMatcher": []
},
{
"label": "Security: CodeQL JS Scan",
"label": "Security: CodeQL JS Scan (DEPRECATED)",
"type": "shell",
"command": "codeql database create codeql-db-js --language=javascript --source-root=frontend --overwrite && codeql database analyze codeql-db-js /projects/codeql/codeql/javascript/ql/src/codeql-suites/javascript-security-extended.qls --format=sarif-latest --output=codeql-results-js.sarif",
"group": "test",
"problemMatcher": []
},
{
"label": "Security: CodeQL Go Scan (CI-Aligned) [~60s]",
"type": "shell",
"command": "bash -c 'set -e && \\\n echo \"🔍 Creating CodeQL database for Go...\" && \\\n rm -rf codeql-db-go && \\\n codeql database create codeql-db-go \\\n --language=go \\\n --source-root=backend \\\n --overwrite \\\n --threads=0 && \\\n echo \"\" && \\\n echo \"📊 Running CodeQL analysis (security-and-quality suite)...\" && \\\n codeql database analyze codeql-db-go \\\n codeql/go-queries:codeql-suites/go-security-and-quality.qls \\\n --format=sarif-latest \\\n --output=codeql-results-go.sarif \\\n --sarif-add-baseline-file-info \\\n --threads=0 && \\\n echo \"\" && \\\n echo \"✅ CodeQL scan complete. Results: codeql-results-go.sarif\" && \\\n echo \"\" && \\\n echo \"📋 Summary of findings:\" && \\\n codeql database interpret-results codeql-db-go \\\n --format=text \\\n --output=/dev/stdout \\\n codeql/go-queries:codeql-suites/go-security-and-quality.qls 2>/dev/null || \\\n (echo \"⚠️ Use SARIF Viewer extension to view detailed results\" && jq -r \".runs[].results[] | \\\"\\(.level): \\(.message.text) (\\(.locations[0].physicalLocation.artifactLocation.uri):\\(.locations[0].physicalLocation.region.startLine))\\\"\" codeql-results-go.sarif 2>/dev/null | head -20 || echo \"No findings or jq not available\")'",
"group": "test",
"problemMatcher": [],
"presentation": {
"echo": true,
"reveal": "always",
"focus": false,
"panel": "shared",
"showReuseMessage": false,
"clear": false
}
},
{
"label": "Security: CodeQL JS Scan (CI-Aligned) [~90s]",
"type": "shell",
"command": "bash -c 'set -e && \\\n echo \"🔍 Creating CodeQL database for JavaScript/TypeScript...\" && \\\n rm -rf codeql-db-js && \\\n codeql database create codeql-db-js \\\n --language=javascript \\\n --source-root=frontend \\\n --overwrite \\\n --threads=0 && \\\n echo \"\" && \\\n echo \"📊 Running CodeQL analysis (security-and-quality suite)...\" && \\\n codeql database analyze codeql-db-js \\\n codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls \\\n --format=sarif-latest \\\n --output=codeql-results-js.sarif \\\n --sarif-add-baseline-file-info \\\n --threads=0 && \\\n echo \"\" && \\\n echo \"✅ CodeQL scan complete. Results: codeql-results-js.sarif\" && \\\n echo \"\" && \\\n echo \"📋 Summary of findings:\" && \\\n codeql database interpret-results codeql-db-js \\\n --format=text \\\n --output=/dev/stdout \\\n codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls 2>/dev/null || \\\n (echo \"⚠️ Use SARIF Viewer extension to view detailed results\" && jq -r \".runs[].results[] | \\\"\\(.level): \\(.message.text) (\\(.locations[0].physicalLocation.artifactLocation.uri):\\(.locations[0].physicalLocation.region.startLine))\\\"\" codeql-results-js.sarif 2>/dev/null | head -20 || echo \"No findings or jq not available\")'",
"group": "test",
"problemMatcher": [],
"presentation": {
"echo": true,
"reveal": "always",
"focus": false,
"panel": "shared",
"showReuseMessage": false,
"clear": false
}
},
{
"label": "Security: CodeQL All (CI-Aligned)",
"type": "shell",
"dependsOn": ["Security: CodeQL Go Scan (CI-Aligned) [~60s]", "Security: CodeQL JS Scan (CI-Aligned) [~90s]"],
"dependsOrder": "sequence",
"group": "test",
"problemMatcher": []
},
{
"label": "Security: CodeQL Scan (Skill)",
"type": "shell",
"command": ".github/skills/scripts/skill-runner.sh security-scan-codeql",
"group": "test",
"problemMatcher": [],
"presentation": {
"reveal": "always",
"panel": "shared"
}
},
{
"label": "Security: Go Vulnerability Check",
"type": "shell",