# CodeQL Configuration File
# See: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning
name: "Charon CodeQL Config"

# Query filters to exclude specific alerts with documented justification
query-filters:
  # ===========================================================================
  # SSRF False Positive Exclusion
  # ===========================================================================
  # File: backend/internal/utils/url_testing.go (line 276)
  # Rule: go/request-forgery
  #
  # JUSTIFICATION: This file implements comprehensive 4-layer SSRF protection:
  #
  # Layer 1: Format Validation (utils.ValidateURL)
  #   - Validates URL scheme (http/https only)
  #   - Parses and validates URL structure
  #
  # Layer 2: Security Validation (security.ValidateExternalURL)
  #   - Performs DNS resolution with timeout
  #   - Blocks 13+ private/reserved IP CIDR ranges:
  #     * RFC 1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
  #     * Loopback: 127.0.0.0/8, ::1/128
  #     * Link-Local: 169.254.0.0/16 (AWS/GCP/Azure metadata), fe80::/10
  #     * Reserved: 0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32
  #     * IPv6 ULA: fc00::/7
  #
  # Layer 3: Connection-Time Validation (ssrfSafeDialer)
  #   - Re-resolves DNS at connection time (prevents DNS rebinding)
  #   - Re-validates all resolved IPs against blocklist
  #   - Blocks requests if any IP is private/reserved
  #
  # Layer 4: Request Execution (TestURLConnectivity)
  #   - HEAD request only (minimal data exposure)
  #   - 5-second timeout
  #   - Max 2 redirects with redirect target validation
  #
  # Security Review: Approved - defense-in-depth prevents SSRF attacks
  # Last Review Date: 2026-01-01
  # ===========================================================================
  - exclude:
      id: go/request-forgery

# Paths to ignore from all analysis (use sparingly - prefer query-filters)
# paths-ignore:
#   - "**/vendor/**"
#   - "**/testdata/**"