akanealw
eec8c28fb3
Some checks failed
Go Benchmark / Performance Regression Check (push) Has been cancelled
Cerberus Integration / Cerberus Security Stack Integration (push) Has been cancelled
Upload Coverage to Codecov / Backend Codecov Upload (push) Has been cancelled
Upload Coverage to Codecov / Frontend Codecov Upload (push) Has been cancelled
CodeQL - Analyze / CodeQL analysis (go) (push) Has been cancelled
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Has been cancelled
CrowdSec Integration / CrowdSec Bouncer Integration (push) Has been cancelled
Docker Build, Publish & Test / build-and-push (push) Has been cancelled
Quality Checks / Auth Route Protection Contract (push) Has been cancelled
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Has been cancelled
Quality Checks / Backend (Go) (push) Has been cancelled
Quality Checks / Frontend (React) (push) Has been cancelled
Rate Limit integration / Rate Limiting Integration (push) Has been cancelled
Security Scan (PR) / Trivy Binary Scan (push) Has been cancelled
Supply Chain Verification (PR) / Verify Supply Chain (push) Has been cancelled
WAF integration / Coraza WAF Integration (push) Has been cancelled
Docker Build, Publish & Test / Security Scan PR Image (push) Has been cancelled
Repo Health Check / Repo health (push) Has been cancelled
History Rewrite Dry-Run / Dry-run preview for history rewrite (push) Has been cancelled
Prune Renovate Branches / prune (push) Has been cancelled
Renovate / renovate (push) Has been cancelled
Nightly Build & Package / sync-development-to-nightly (push) Has been cancelled
Nightly Build & Package / Trigger Nightly Validation Workflows (push) Has been cancelled
Nightly Build & Package / build-and-push-nightly (push) Has been cancelled
Nightly Build & Package / test-nightly-image (push) Has been cancelled
Nightly Build & Package / verify-nightly-supply-chain (push) Has been cancelled
Update GeoLite2 Checksum / update-checksum (push) Has been cancelled
Container Registry Prune / prune-ghcr (push) Has been cancelled
Container Registry Prune / prune-dockerhub (push) Has been cancelled
Container Registry Prune / summarize (push) Has been cancelled
Supply Chain Verification / Verify SBOM (push) Has been cancelled
Supply Chain Verification / Verify Release Artifacts (push) Has been cancelled
Supply Chain Verification / Verify Docker Image Supply Chain (push) Has been cancelled
Monitor Caddy Major Release / check-caddy-major (push) Has been cancelled
Weekly Nightly to Main Promotion / Verify Nightly Branch Health (push) Has been cancelled
Weekly Nightly to Main Promotion / Create Promotion PR (push) Has been cancelled
Weekly Nightly to Main Promotion / Trigger Missing Required Checks (push) Has been cancelled
Weekly Nightly to Main Promotion / Notify on Failure (push) Has been cancelled
Weekly Nightly to Main Promotion / Workflow Summary (push) Has been cancelled
Weekly Security Rebuild / Security Rebuild & Scan (push) Has been cancelled
5.7 KiB
Executable File
5.7 KiB
Executable File
CodeQL Security Scanning Guide
Overview
Charon uses GitHub's CodeQL for static application security testing (SAST). CodeQL analyzes code to find security vulnerabilities and coding errors.
Quick Start
Run CodeQL Locally (CI-Aligned)
Via VS Code Tasks:
- Open Command Palette (
Ctrl+Shift+P/Cmd+Shift+P) - Type "Tasks: Run Task"
- Select:
Security: CodeQL Go Scan (CI-Aligned)- Scan backendSecurity: CodeQL JS Scan (CI-Aligned)- Scan frontendSecurity: CodeQL All (CI-Aligned)- Scan both
Via Pre-Commit:
# Quick security check (govulncheck - 5s)
pre-commit run security-scan --all-files
# Full CodeQL scan (2-3 minutes)
pre-commit run codeql-go-scan --all-files
pre-commit run codeql-js-scan --all-files
pre-commit run codeql-check-findings --all-files
Via Command Line:
# Go scan
codeql database create codeql-db-go --language=go --source-root=backend --overwrite
codeql database analyze codeql-db-go \
codeql/go-queries:codeql-suites/go-security-and-quality.qls \
--format=sarif-latest --output=codeql-results-go.sarif
# JavaScript/TypeScript scan
codeql database create codeql-db-js --language=javascript --source-root=frontend --overwrite
codeql database analyze codeql-db-js \
codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls \
--format=sarif-latest --output=codeql-results-js.sarif
View Results
Method 1: VS Code SARIF Viewer (Recommended)
- Install extension:
MS-SarifVSCode.sarif-viewer - Open
codeql-results-go.sariforcodeql-results-js.sarif - Navigate findings with inline annotations
Method 2: Command Line (jq)
# Summary
jq '.runs[].results | length' codeql-results-go.sarif
# Details
jq -r '.runs[].results[] | "\(.level): \(.message.text) (\(.locations[0].physicalLocation.artifactLocation.uri):\(.locations[0].physicalLocation.region.startLine))"' codeql-results-go.sarif
Method 3: GitHub Security Tab
- CI automatically uploads results to:
https://github.com/YourOrg/Charon/security/code-scanning
Understanding Query Suites
Charon uses the security-and-quality suite (GitHub Actions default):
| Suite | Go Queries | JS Queries | Use Case |
|---|---|---|---|
security-extended |
39 | 106 | Security-only, faster |
security-and-quality |
61 | 204 | Security + quality, comprehensive (CI default) |
⚠️ Important: Local scans MUST use security-and-quality to match CI behavior.
Severity Levels
- 🔴 Error (High/Critical): Must fix before merge - CI will fail
- 🟡 Warning (Medium): Should fix - CI continues
- 🔵 Note (Low/Info): Consider fixing - CI continues
Common Issues & Fixes
Issue: "CWE-918: Server-Side Request Forgery (SSRF)"
Location: backend/internal/api/handlers/url_validator.go
Fix:
// BAD: Unrestricted URL
resp, err := http.Get(userProvidedURL)
// GOOD: Validate against allowlist
if !isAllowedHost(userProvidedURL) {
return ErrSSRFAttempt
}
resp, err := http.Get(userProvidedURL)
Reference: docs/security/ssrf-protection.md
Issue: "CWE-079: Cross-Site Scripting (XSS)"
Location: frontend/src/components/...
Fix:
// BAD: Unsafe HTML rendering
element.innerHTML = userInput;
// GOOD: Safe text content
element.textContent = userInput;
// GOOD: Sanitized HTML (if HTML is required)
import DOMPurify from 'dompurify';
element.innerHTML = DOMPurify.sanitize(userInput);
Issue: "CWE-089: SQL Injection"
Fix: Use parameterized queries (GORM handles this automatically)
// BAD: String concatenation
db.Raw("SELECT * FROM users WHERE name = '" + userName + "'")
// GOOD: Parameterized query
db.Where("name = ?", userName).Find(&users)
CI/CD Integration
When CodeQL Runs
- Push: Every commit to
main,development,feature/* - Pull Request: Every PR to
main,development - Schedule: Weekly scan on Monday at 3 AM UTC
CI Behavior
✅ Allowed to merge:
- No findings
- Only warnings/notes
- Forked PRs (security scanning skipped for permission reasons)
❌ Blocked from merge:
- Any error-level (high/critical) findings
- CodeQL analysis failure
Viewing CI Results
- PR Checks: See "CodeQL analysis (go)" and "CodeQL analysis (javascript-typescript)" checks
- Security Tab: Navigate to repo → Security → Code scanning alerts
- Workflow Summary: Click on failed check → View job summary
Troubleshooting
"CodeQL passes locally but fails in CI"
Cause: Using wrong query suite locally
Fix: Ensure tasks use security-and-quality:
codeql database analyze DB_PATH \
codeql/LANGUAGE-queries:codeql-suites/LANGUAGE-security-and-quality.qls \
...
"SARIF file not found"
Cause: Database creation or analysis failed
Fix:
- Check terminal output for errors
- Ensure CodeQL is installed:
codeql version - Verify source-root exists:
ls backend/orls frontend/
"Too many findings to fix"
Strategy:
- Fix all error level first (CI blockers)
- Create issues for warning level (non-blocking)
- Document note level for future consideration
Suppress false positives:
// codeql[go/sql-injection] - Safe: input is validated by ACL
db.Raw(query).Scan(&results)
Performance Tips
- Incremental Scans: CodeQL caches databases, second run is faster
- Parallel Execution: Use
--threads=0for auto-detection - CI Only: Run full scans in CI, quick checks locally