fix: add CodeQL configuration to exclude documented SSRF false positives and update workflow to use new config

2026-01-01 03:36:06 +00:00
parent f8667bcc66
commit a1ff78a92f
2 changed files with 51 additions and 3 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -44,9 +44,10 @@ jobs:
        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4
        with:
          languages: ${{ matrix.language }}
-          # Use custom model for Go to recognize SSRF sanitizers
-          # See: .github/codeql-custom-model.yml
-          config-file: ${{ matrix.language == 'go' && '.github/codeql-custom-model.yml' || '' }}
+          # Use CodeQL config to exclude documented false positives
+          # Go: Excludes go/request-forgery for url_testing.go (has 4-layer SSRF defense)
+          # See: .github/codeql/codeql-config.yml for full justification
+          config-file: ./.github/codeql/codeql-config.yml

      - name: Setup Go
        if: matrix.language == 'go'