chore: Update CodeQL scan scripts and documentation for CI alignment and deprecate old suites

2026-02-20 13:55:28 +00:00
parent 1309189523
commit 8e88d9feae
4 changed files with 13 additions and 7 deletions
--- a/.github/skills/security-scan-codeql-scripts/run.sh
+++ b/.github/skills/security-scan-codeql-scripts/run.sh
@@ -95,6 +95,7 @@ run_codeql_scan() {
    local source_root=$2
    local db_name="codeql-db-${lang}"
    local sarif_file="codeql-results-${lang}.sarif"
+    local suite=""
    local build_mode_args=()
    local codescanning_config="${PROJECT_ROOT}/.github/codeql/codeql-config.yml"

@@ -107,6 +108,9 @@ run_codeql_scan() {

    if [[ "${lang}" == "javascript" ]]; then
        build_mode_args=(--build-mode=none)
+        suite="codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls"
+    else
+        suite="codeql/go-queries:codeql-suites/go-security-and-quality.qls"
    fi

    log_step "CODEQL" "Scanning ${lang} code in ${source_root}/"
@@ -135,8 +139,9 @@ run_codeql_scan() {
    fi

    # Run analysis
-    log_info "Analyzing with Code Scanning config (CI-aligned query filters)..."
+    log_info "Analyzing with CI-aligned suite: ${suite}"
    if ! codeql database analyze "${db_name}" \
+        "${suite}" \
        --format=sarif-latest \
        --output="${sarif_file}" \
        --sarif-add-baseline-file-info \
--- a/.github/skills/security-scan-codeql.SKILL.md
+++ b/.github/skills/security-scan-codeql.SKILL.md
@@ -136,8 +136,8 @@ This skill uses the **security-and-quality** suite to match CI:

 | Language | Suite | Queries | Coverage |
 |----------|-------|---------|----------|
-| Go | go-security-and-quality.qls | 61 | Security + quality issues |
-| JavaScript | javascript-security-and-quality.qls | 204 | Security + quality issues |
+| Go | go-security-and-quality.qls | version-dependent | Security + quality issues |
+| JavaScript | javascript-security-and-quality.qls | version-dependent | Security + quality issues |

 **Note:** This matches GitHub Actions CodeQL default configuration exactly.

@@ -260,8 +260,7 @@ This skill is specifically designed to match GitHub Actions CodeQL workflow:
 | Parameter | Local | CI | Aligned |
 |-----------|-------|-----|---------|
 | Query Suite | security-and-quality | security-and-quality | ✅ |
-| Go Queries | 61 | 61 | ✅ |
-| JS Queries | 204 | 204 | ✅ |
+| Query Expansion | version-dependent | version-dependent | ✅ (when versions match) |
 | Threading | auto | auto | ✅ |
 | Baseline Info | enabled | enabled | ✅ |

--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -501,14 +501,14 @@
        {
            "label": "Security: CodeQL Go Scan (DEPRECATED)",
            "type": "shell",
-            "command": "codeql database create codeql-db-go --language=go --source-root=backend --overwrite && codeql database analyze codeql-db-go /projects/codeql/codeql/go/ql/src/codeql-suites/go-security-extended.qls --format=sarif-latest --output=codeql-results-go.sarif",
+            "command": "bash scripts/pre-commit-hooks/codeql-go-scan.sh",
            "group": "test",
            "problemMatcher": []
        },
        {
            "label": "Security: CodeQL JS Scan (DEPRECATED)",
            "type": "shell",
-            "command": "codeql database create codeql-db-js --language=javascript --source-root=frontend --overwrite && codeql database analyze codeql-db-js /projects/codeql/codeql/javascript/ql/src/codeql-suites/javascript-security-extended.qls --format=sarif-latest --output=codeql-results-js.sarif",
+            "command": "bash scripts/pre-commit-hooks/codeql-js-scan.sh",
            "group": "test",
            "problemMatcher": []
        },
--- a/scripts/ci/check-codeql-parity.sh
+++ b/scripts/ci/check-codeql-parity.sh
@@ -121,6 +121,8 @@ ensure_event_branches_semantic \
 grep -Fq 'queries: security-and-quality' "$CODEQL_WORKFLOW" || fail "codeql.yml must pin init queries to security-and-quality"
 ensure_task_command "$TASKS_FILE" "Security: CodeQL Go Scan (CI-Aligned) [~60s]" "bash scripts/pre-commit-hooks/codeql-go-scan.sh" || fail "Missing or mismatched CI-aligned Go CodeQL task (label+command)"
 ensure_task_command "$TASKS_FILE" "Security: CodeQL JS Scan (CI-Aligned) [~90s]" "bash scripts/pre-commit-hooks/codeql-js-scan.sh" || fail "Missing or mismatched CI-aligned JS CodeQL task (label+command)"
+! grep -Fq 'go-security-extended.qls' "$TASKS_FILE" || fail "tasks.json contains deprecated go-security-extended suite; use CI-aligned scripts"
+! grep -Fq 'javascript-security-extended.qls' "$TASKS_FILE" || fail "tasks.json contains deprecated javascript-security-extended suite; use CI-aligned scripts"
 grep -Fq 'codeql/go-queries:codeql-suites/go-security-and-quality.qls' "$GO_PRECOMMIT_SCRIPT" || fail "Go pre-commit script must use go-security-and-quality suite"
 grep -Fq 'codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls' "$JS_PRECOMMIT_SCRIPT" || fail "JS pre-commit script must use javascript-security-and-quality suite"