akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 14 Packages Projects Releases Wiki Activity

fix: update CodeQL queries to include security-experimental suite for enhanced analysis

Browse Source
This commit is contained in:
GitHub Actions
2026-03-07 02:42:42 +00:00
parent d74ea47e2c
commit 92310a8b3e
4 changed files with 13 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
scripts/ci/check-codeql-parity.sh
View File

@@ -118,12 +118,15 @@ ensure_event_branches_semantic \
"push" \
"branches: [main]" \
"main" || fail "codeql.yml push branches must be [main]"
grep -Fq 'queries: security-and-quality' "$CODEQL_WORKFLOW" || fail "codeql.yml must pin init queries to security-and-quality"
grep -Fq 'security-and-quality' "$CODEQL_WORKFLOW" || fail "codeql.yml must include security-and-quality in init queries"
grep -Fq 'security-experimental' "$CODEQL_WORKFLOW" || fail "codeql.yml must include security-experimental in init queries (align with local scans)"
ensure_task_command "$TASKS_FILE" "Security: CodeQL Go Scan (CI-Aligned) [~60s]" "bash scripts/pre-commit-hooks/codeql-go-scan.sh" || fail "Missing or mismatched CI-aligned Go CodeQL task (label+command)"
ensure_task_command "$TASKS_FILE" "Security: CodeQL JS Scan (CI-Aligned) [~90s]" "bash scripts/pre-commit-hooks/codeql-js-scan.sh" || fail "Missing or mismatched CI-aligned JS CodeQL task (label+command)"
! grep -Fq 'go-security-extended.qls' "$TASKS_FILE" || fail "tasks.json contains deprecated go-security-extended suite; use CI-aligned scripts"
! grep -Fq 'javascript-security-extended.qls' "$TASKS_FILE" || fail "tasks.json contains deprecated javascript-security-extended suite; use CI-aligned scripts"
grep -Fq 'codeql/go-queries:codeql-suites/go-security-and-quality.qls' "$GO_PRECOMMIT_SCRIPT" || fail "Go pre-commit script must use go-security-and-quality suite"
grep -Fq 'codeql/go-queries:codeql-suites/go-security-experimental.qls' "$GO_PRECOMMIT_SCRIPT" || fail "Go pre-commit script must use go-security-experimental suite (align with CI)"
grep -Fq 'codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls' "$JS_PRECOMMIT_SCRIPT" || fail "JS pre-commit script must use javascript-security-and-quality suite"
grep -Fq 'codeql/javascript-queries:codeql-suites/javascript-security-experimental.qls' "$JS_PRECOMMIT_SCRIPT" || fail "JS pre-commit script must use javascript-security-experimental suite (align with CI)"
echo "CodeQL parity check passed (workflow triggers + suite pinning + local/pre-commit suite alignment)"
echo "CodeQL parity check passed (workflow triggers + suite pinning [security-and-quality + security-experimental] + local/CI alignment)"