fix: remove security-experimental queries from CodeQL configuration to prevent false positives

2026-03-07 03:48:04 +00:00
parent 6add11f1d2
commit 82e2134333
4 changed files with 9 additions and 11 deletions
--- a/scripts/ci/check-codeql-parity.sh
+++ b/scripts/ci/check-codeql-parity.sh
@@ -119,14 +119,14 @@ ensure_event_branches_semantic \
  "branches: [main]" \
  "main" || fail "codeql.yml push branches must be [main]"
 grep -Fq 'security-and-quality' "$CODEQL_WORKFLOW" || fail "codeql.yml must include security-and-quality in init queries"
-grep -Fq 'security-experimental' "$CODEQL_WORKFLOW" || fail "codeql.yml must include security-experimental in init queries (align with local scans)"
+! grep -Fq 'security-experimental' "$CODEQL_WORKFLOW" || fail "codeql.yml must NOT include security-experimental (produces false positives in test files)"
 ensure_task_command "$TASKS_FILE" "Security: CodeQL Go Scan (CI-Aligned) [~60s]" "bash scripts/pre-commit-hooks/codeql-go-scan.sh" || fail "Missing or mismatched CI-aligned Go CodeQL task (label+command)"
 ensure_task_command "$TASKS_FILE" "Security: CodeQL JS Scan (CI-Aligned) [~90s]" "bash scripts/pre-commit-hooks/codeql-js-scan.sh" || fail "Missing or mismatched CI-aligned JS CodeQL task (label+command)"
 ! grep -Fq 'go-security-extended.qls' "$TASKS_FILE" || fail "tasks.json contains deprecated go-security-extended suite; use CI-aligned scripts"
 ! grep -Fq 'javascript-security-extended.qls' "$TASKS_FILE" || fail "tasks.json contains deprecated javascript-security-extended suite; use CI-aligned scripts"
 grep -Fq 'codeql/go-queries:codeql-suites/go-security-and-quality.qls' "$GO_PRECOMMIT_SCRIPT" || fail "Go pre-commit script must use go-security-and-quality suite"
-grep -Fq 'codeql/go-queries:codeql-suites/go-security-experimental.qls' "$GO_PRECOMMIT_SCRIPT" || fail "Go pre-commit script must use go-security-experimental suite (align with CI)"
+! grep -Fq 'codeql/go-queries:codeql-suites/go-security-experimental.qls' "$GO_PRECOMMIT_SCRIPT" || fail "Go pre-commit script must NOT use go-security-experimental suite"
 grep -Fq 'codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls' "$JS_PRECOMMIT_SCRIPT" || fail "JS pre-commit script must use javascript-security-and-quality suite"
-grep -Fq 'codeql/javascript-queries:codeql-suites/javascript-security-experimental.qls' "$JS_PRECOMMIT_SCRIPT" || fail "JS pre-commit script must use javascript-security-experimental suite (align with CI)"
+! grep -Fq 'codeql/javascript-queries:codeql-suites/javascript-security-experimental.qls' "$JS_PRECOMMIT_SCRIPT" || fail "JS pre-commit script must NOT use javascript-security-experimental suite"

-echo "CodeQL parity check passed (workflow triggers + suite pinning [security-and-quality + security-experimental] + local/CI alignment)"
+echo "CodeQL parity check passed (workflow triggers + suite pinning [security-and-quality] + local/CI alignment)"
--- a/scripts/pre-commit-hooks/codeql-go-scan.sh
+++ b/scripts/pre-commit-hooks/codeql-go-scan.sh
@@ -28,12 +28,11 @@ codeql database create codeql-db-go \
  --overwrite

 echo ""
-echo "📊 Analyzing with security-and-quality + security-experimental suites..."
+echo "📊 Analyzing with security-and-quality suite..."
 ANALYZE_LOG=$(mktemp)
-# Analyze with CI-aligned suites (mirrors codeql.yml queries: security-and-quality,security-experimental)
+# Analyze with CI-aligned suite (mirrors codeql.yml queries: security-and-quality)
 codeql database analyze codeql-db-go \
  codeql/go-queries:codeql-suites/go-security-and-quality.qls \
-  codeql/go-queries:codeql-suites/go-security-experimental.qls \
  --format=sarif-latest \
  --output=codeql-results-go.sarif \
  --sarif-add-baseline-file-info \
--- a/scripts/pre-commit-hooks/codeql-js-scan.sh
+++ b/scripts/pre-commit-hooks/codeql-js-scan.sh
@@ -26,11 +26,10 @@ codeql database create codeql-db-js \
  --overwrite

 echo ""
-echo "📊 Analyzing with security-and-quality + security-experimental suites..."
-# Analyze with CI-aligned suites (mirrors codeql.yml queries: security-and-quality,security-experimental)
+echo "📊 Analyzing with security-and-quality suite..."
+# Analyze with CI-aligned suite (mirrors codeql.yml queries: security-and-quality)
 codeql database analyze codeql-db-js \
  codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls \
-  codeql/javascript-queries:codeql-suites/javascript-security-experimental.qls \
  --format=sarif-latest \
  --output=codeql-results-js.sarif \
  --sarif-add-baseline-file-info \