chore: Implement CodeQL CI Alignment and Security Scanning
- Added comprehensive QA report for CodeQL CI alignment implementation, detailing tests, results, and findings. - Created CodeQL security scanning guide in documentation, outlining usage and common issues. - Developed pre-commit hooks for CodeQL scans and findings checks, ensuring security issues are identified before commits. - Implemented scripts for running CodeQL Go and JavaScript scans, aligned with CI configurations. - Verified all tests passed, including backend and frontend coverage, TypeScript checks, and SARIF file generation.
This commit is contained in:
GitHub Actions
69
scripts/pre-commit-hooks/codeql-check-findings.sh
Executable file
69
scripts/pre-commit-hooks/codeql-check-findings.sh
Executable file
@@ -0,0 +1,69 @@
|
||||
#!/bin/bash
|
||||
# Check CodeQL SARIF results for HIGH/CRITICAL findings
|
||||
set -e
|
||||
|
||||
RED='\033[0;31m'
|
||||
GREEN='\033[0;32m'
|
||||
YELLOW='\033[1;33m'
|
||||
NC='\033[0m'
|
||||
|
||||
FAILED=0
|
||||
|
||||
check_sarif() {
|
||||
local sarif_file=$1
|
||||
local lang=$2
|
||||
|
||||
if [ ! -f "$sarif_file" ]; then
|
||||
echo -e "${YELLOW}⚠️ No SARIF file found: $sarif_file${NC}"
|
||||
echo "Run CodeQL scan first: pre-commit run codeql-$lang-scan --all-files"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "🔍 Checking $lang findings..."
|
||||
|
||||
# Check for findings using jq (if available)
|
||||
if command -v jq &> /dev/null; then
|
||||
# Count high/critical severity findings
|
||||
HIGH_COUNT=$(jq -r '.runs[].results[] | select(.level == "error" or .level == "warning") | .level' "$sarif_file" 2>/dev/null | wc -l || echo 0)
|
||||
|
||||
if [ "$HIGH_COUNT" -gt 0 ]; then
|
||||
echo -e "${RED}❌ Found $HIGH_COUNT potential security issues in $lang code${NC}"
|
||||
echo ""
|
||||
echo "Summary:"
|
||||
jq -r '.runs[].results[] | "\(.level): \(.message.text) (\(.locations[0].physicalLocation.artifactLocation.uri):\(.locations[0].physicalLocation.region.startLine))"' "$sarif_file" 2>/dev/null | head -10
|
||||
echo ""
|
||||
echo "View full results: code $sarif_file"
|
||||
FAILED=1
|
||||
else
|
||||
echo -e "${GREEN}✅ No security issues found in $lang code${NC}"
|
||||
fi
|
||||
else
|
||||
# Fallback: check if file has results
|
||||
if grep -q '"results"' "$sarif_file" && ! grep -q '"results": \[\]' "$sarif_file"; then
|
||||
echo -e "${YELLOW}⚠️ CodeQL findings detected in $lang (install jq for details)${NC}"
|
||||
echo "View results: code $sarif_file"
|
||||
FAILED=1
|
||||
else
|
||||
echo -e "${GREEN}✅ No security issues found in $lang code${NC}"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
echo "🔒 Checking CodeQL findings..."
|
||||
echo ""
|
||||
|
||||
check_sarif "codeql-results-go.sarif" "go"
|
||||
check_sarif "codeql-results-js.sarif" "js"
|
||||
|
||||
if [ $FAILED -eq 1 ]; then
|
||||
echo ""
|
||||
echo -e "${RED}❌ CodeQL scan found security issues. Please fix before committing.${NC}"
|
||||
echo ""
|
||||
echo "To view results:"
|
||||
echo " - VS Code: Install SARIF Viewer extension"
|
||||
echo " - Command line: jq . codeql-results-*.sarif"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo -e "${GREEN}✅ All CodeQL checks passed${NC}"
|
||||
38
scripts/pre-commit-hooks/codeql-go-scan.sh
Executable file
38
scripts/pre-commit-hooks/codeql-go-scan.sh
Executable file
@@ -0,0 +1,38 @@
|
||||
#!/bin/bash
|
||||
# Pre-commit CodeQL Go scan - CI-aligned
|
||||
set -e
|
||||
|
||||
RED='\033[0;31m'
|
||||
GREEN='\033[0;32m'
|
||||
YELLOW='\033[1;33m'
|
||||
BLUE='\033[0;34m'
|
||||
NC='\033[0m'
|
||||
|
||||
echo -e "${BLUE}🔍 Running CodeQL Go scan (CI-aligned)...${NC}"
|
||||
echo ""
|
||||
|
||||
# Clean previous database
|
||||
rm -rf codeql-db-go
|
||||
|
||||
# Create database
|
||||
echo "📦 Creating CodeQL database..."
|
||||
codeql database create codeql-db-go \
|
||||
--language=go \
|
||||
--source-root=backend \
|
||||
--threads=0 \
|
||||
--overwrite
|
||||
|
||||
echo ""
|
||||
echo "📊 Analyzing with security-and-quality suite..."
|
||||
# Analyze with CI-aligned suite
|
||||
codeql database analyze codeql-db-go \
|
||||
codeql/go-queries:codeql-suites/go-security-and-quality.qls \
|
||||
--format=sarif-latest \
|
||||
--output=codeql-results-go.sarif \
|
||||
--sarif-add-baseline-file-info \
|
||||
--threads=0
|
||||
|
||||
echo -e "${GREEN}✅ CodeQL Go scan complete${NC}"
|
||||
echo "Results saved to: codeql-results-go.sarif"
|
||||
echo ""
|
||||
echo "Run 'pre-commit run codeql-check-findings' to validate findings"
|
||||
38
scripts/pre-commit-hooks/codeql-js-scan.sh
Executable file
38
scripts/pre-commit-hooks/codeql-js-scan.sh
Executable file
@@ -0,0 +1,38 @@
|
||||
#!/bin/bash
|
||||
# Pre-commit CodeQL JavaScript/TypeScript scan - CI-aligned
|
||||
set -e
|
||||
|
||||
RED='\033[0;31m'
|
||||
GREEN='\033[0;32m'
|
||||
YELLOW='\033[1;33m'
|
||||
BLUE='\033[0;34m'
|
||||
NC='\033[0m'
|
||||
|
||||
echo -e "${BLUE}🔍 Running CodeQL JavaScript/TypeScript scan (CI-aligned)...${NC}"
|
||||
echo ""
|
||||
|
||||
# Clean previous database
|
||||
rm -rf codeql-db-js
|
||||
|
||||
# Create database
|
||||
echo "📦 Creating CodeQL database..."
|
||||
codeql database create codeql-db-js \
|
||||
--language=javascript \
|
||||
--source-root=frontend \
|
||||
--threads=0 \
|
||||
--overwrite
|
||||
|
||||
echo ""
|
||||
echo "📊 Analyzing with security-and-quality suite..."
|
||||
# Analyze with CI-aligned suite
|
||||
codeql database analyze codeql-db-js \
|
||||
codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls \
|
||||
--format=sarif-latest \
|
||||
--output=codeql-results-js.sarif \
|
||||
--sarif-add-baseline-file-info \
|
||||
--threads=0
|
||||
|
||||
echo -e "${GREEN}✅ CodeQL JavaScript/TypeScript scan complete${NC}"
|
||||
echo "Results saved to: codeql-results-js.sarif"
|
||||
echo ""
|
||||
echo "Run 'pre-commit run codeql-check-findings' to validate findings"
|
||||
Reference in New Issue
Block a user