chore: clean .gitignore cache
This commit is contained in:
GitHub Actions
@@ -1,74 +0,0 @@
|
||||
# Local Scan Hygiene (CodeQL + Trivy)
|
||||
|
||||
This plan captures local scan-hygiene items that are not the SSRF remediation itself, but commonly cause CI-aligned local security tasks to fail due to generated artifacts or scanning scope.
|
||||
|
||||
## Goal
|
||||
|
||||
- Keep local CI-aligned tasks deterministic and aligned with CI behavior.
|
||||
- Prevent generated artifacts (coverage, dist outputs, tool DBs) from being treated as source code during scans.
|
||||
|
||||
## CodeQL JS: prevent scanning generated artifacts
|
||||
|
||||
### Problem
|
||||
|
||||
Local CodeQL JS scans can fail if coverage/build artifacts exist on disk under `frontend/` (example: a finding under `frontend/coverage/lcov-report/...`).
|
||||
|
||||
### Plan
|
||||
|
||||
- Ensure generated artifacts are not treated as source:
|
||||
- Confirm `.gitignore` excludes `frontend/coverage/**` and other build outputs.
|
||||
- Add a deterministic cleanup step in local CodeQL JS entrypoints:
|
||||
- Remove if present:
|
||||
- `frontend/coverage/`
|
||||
- `frontend/dist/`
|
||||
- `playwright-report/`
|
||||
- `test-results/`
|
||||
- `coverage/` (root-level, if present)
|
||||
|
||||
Likely scripts involved (verify current wiring before editing):
|
||||
|
||||
- [scripts/pre-commit-hooks/codeql-js-scan.sh](scripts/pre-commit-hooks/codeql-js-scan.sh)
|
||||
- [.github/skills/security-scan-codeql-scripts/run.sh](.github/skills/security-scan-codeql-scripts/run.sh)
|
||||
|
||||
### Notes
|
||||
|
||||
- `.github/codeql/codeql-config.yml` already has `paths-ignore` entries for several generated paths (e.g., `frontend/coverage/**`, `frontend/dist/**`, `test-results/**`). Cleanup is still recommended because it protects local runs even if a given invocation does not consistently apply a config file.
|
||||
|
||||
## Trivy FS: exclude tool/cache databases from scan scope
|
||||
|
||||
### Problem
|
||||
|
||||
Trivy can scan non-project directories and produce noise or scanner errors when it traverses:
|
||||
|
||||
- local caches (`.cache/`, including Go module caches)
|
||||
- CodeQL databases (`codeql-db-*`)
|
||||
- agent outputs (`codeql-agent-results/`)
|
||||
|
||||
### Plan
|
||||
|
||||
- Update the local Trivy entrypoint to skip non-project directories using explicit `--skip-dirs` options.
|
||||
|
||||
Primary script:
|
||||
|
||||
- [.github/skills/security-scan-trivy-scripts/run.sh](.github/skills/security-scan-trivy-scripts/run.sh)
|
||||
|
||||
Suggested skip set (keep explicit; no globs):
|
||||
|
||||
- `.cache/`
|
||||
- `codeql-db-go/`
|
||||
- `codeql-db-js/`
|
||||
- `my-codeql-db/`
|
||||
- `codeql-agent-results/`
|
||||
- `codeql-custom-queries-go/` (optional for noise/speed)
|
||||
- `test-results/` (optional; only if it creates findings)
|
||||
|
||||
### Keep local behavior CI-aligned
|
||||
|
||||
- Ensure findings fail the scan without unnecessary noise:
|
||||
- Set `--exit-code 1`
|
||||
- Default severity threshold: `CRITICAL,HIGH` (allow override via `TRIVY_SEVERITY`)
|
||||
- Prefer skip-dirs for non-project content; use ignorefiles only for true false positives.
|
||||
|
||||
## Repo hygiene follow-up (separate PR)
|
||||
|
||||
The repo root currently contains scan artifacts such as `codeql-results-*.sarif` and `trivy-*.txt`. Follow the repo structure guidance by moving these under `test-results/` and/or adding appropriate `.gitignore` entries.
|
||||
Reference in New Issue
Block a user