fix: implement security severity policy and enhance CodeQL checks for blocking findings

2026-02-25 15:05:41 +00:00
parent 0917edb863
commit cb16ac05a2
11 changed files with 727 additions and 43 deletions
--- a/scripts/pre-commit-hooks/codeql-check-findings.sh
+++ b/scripts/pre-commit-hooks/codeql-check-findings.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# Check CodeQL SARIF results for HIGH/CRITICAL findings
+# Check CodeQL SARIF results for blocking findings (CI-aligned)
 set -e

 RED='\033[0;31m'
@@ -24,10 +24,10 @@ check_sarif() {

        # Check for findings using jq (if available)
    if command -v jq &> /dev/null; then
-                # Count high/critical severity findings.
-                # Note: CodeQL SARIF may omit result-level `level`; when absent, severity
-                # is defined on the rule metadata (`tool.driver.rules[].defaultConfiguration.level`).
-                HIGH_COUNT=$(jq -r '[
+                # Count blocking findings.
+                # CI behavior: block only effective level=error (high/critical equivalent);
+                # warnings are reported but non-blocking unless escalated by policy.
+                BLOCKING_COUNT=$(jq -r '[
                    .runs[] as $run
                    | $run.results[]
                    | . as $result
@@ -42,13 +42,31 @@ check_sarif() {
                        ][0] // empty)
                        // ""
                    ) | ascii_downcase) as $effectiveLevel
-                    | select($effectiveLevel == "error" or $effectiveLevel == "warning")
+                    | select($effectiveLevel == "error")
                ] | length' "$sarif_file" 2>/dev/null || echo 0)

-        if [ "$HIGH_COUNT" -gt 0 ]; then
-            echo -e "${RED}❌ Found $HIGH_COUNT potential security issues in $lang code${NC}"
+                WARNING_COUNT=$(jq -r '[
+                    .runs[] as $run
+                    | $run.results[]
+                    | . as $result
+                    | ($run.tool.driver.rules // []) as $rules
+                    | ((
+                        $result.level
+                        // (if (($result.ruleIndex | type) == "number") then ($rules[$result.ruleIndex].defaultConfiguration.level // empty) else empty end)
+                        // ([
+                            $rules[]?
+                            | select((.id // "") == ($result.ruleId // ""))
+                            | (.defaultConfiguration.level // empty)
+                        ][0] // empty)
+                        // ""
+                    ) | ascii_downcase) as $effectiveLevel
+                    | select($effectiveLevel == "warning")
+                ] | length' "$sarif_file" 2>/dev/null || echo 0)
+
+        if [ "$BLOCKING_COUNT" -gt 0 ]; then
+            echo -e "${RED}❌ Found $BLOCKING_COUNT blocking CodeQL issues in $lang code${NC}"
            echo ""
-            echo "Summary:"
+            echo "Blocking summary (error-level):"
                        jq -r '
                            .runs[] as $run
                            | $run.results[]
@@ -64,30 +82,34 @@ check_sarif() {
                                ][0] // empty)
                                // ""
                            ) | ascii_downcase) as $effectiveLevel
-                            | select($effectiveLevel == "error" or $effectiveLevel == "warning")
+                            | select($effectiveLevel == "error")
                            | "\($effectiveLevel): \($result.ruleId // "<unknown-rule>"): \($result.message.text) (\($result.locations[0].physicalLocation.artifactLocation.uri):\($result.locations[0].physicalLocation.region.startLine))"
                        ' "$sarif_file" 2>/dev/null | head -10
            echo ""
            echo "View full results: code $sarif_file"
            FAILED=1
        else
-            echo -e "${GREEN}✅ No security issues found in $lang code${NC}"
+            echo -e "${GREEN}✅ No blocking CodeQL issues found in $lang code${NC}"
+            if [ "$WARNING_COUNT" -gt 0 ]; then
+                echo -e "${YELLOW}⚠️  Non-blocking warnings in $lang: $WARNING_COUNT (policy triage required)${NC}"
+            fi
        fi
    else
-        # Fallback: check if file has results
-        if grep -q '"results"' "$sarif_file" && ! grep -q '"results": \[\]' "$sarif_file"; then
-            echo -e "${YELLOW}⚠️  CodeQL findings detected in $lang (install jq for details)${NC}"
-            echo "View results: code $sarif_file"
-            FAILED=1
-        else
-            echo -e "${GREEN}✅ No security issues found in $lang code${NC}"
-        fi
+                        echo -e "${RED}❌ jq is required for semantic CodeQL severity evaluation (${lang})${NC}"
+                        echo "Install jq and re-run: pre-commit run --hook-stage manual codeql-check-findings --all-files"
+                        FAILED=1
    fi
 }

 echo "🔒 Checking CodeQL findings..."
 echo ""

+                if ! command -v jq &> /dev/null; then
+                    echo -e "${RED}❌ jq is required for CodeQL finding checks${NC}"
+                    echo "Install jq and re-run: pre-commit run --hook-stage manual codeql-check-findings --all-files"
+                    exit 1
+                fi
+
 check_sarif "codeql-results-go.sarif" "go"

 # Support both JS artifact names, preferring the CI-aligned canonical file.
@@ -102,7 +124,7 @@ fi

 if [ $FAILED -eq 1 ]; then
    echo ""
-    echo -e "${RED}❌ CodeQL scan found security issues. Please fix before committing.${NC}"
+    echo -e "${RED}❌ CodeQL scan found blocking findings (error-level). Please fix before committing.${NC}"
    echo ""
    echo "To view results:"
    echo "  - VS Code: Install SARIF Viewer extension"