akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 14 Packages Projects Releases Wiki Activity
Files
05fba0b3dbe0b17dc4e9860e3efb38c241fe97ca
Charon/docs/plans/codeql-local-hygiene.md
GitHub Actions f64e3feef8 chore: clean .gitignore cache
2026-01-26 19:22:05 +00:00

2.9 KiB
Raw Blame History

Local Scan Hygiene (CodeQL + Trivy)

This plan captures local scan-hygiene items that are not the SSRF remediation itself, but commonly cause CI-aligned local security tasks to fail due to generated artifacts or scanning scope.

Goal

  • Keep local CI-aligned tasks deterministic and aligned with CI behavior.
  • Prevent generated artifacts (coverage, dist outputs, tool DBs) from being treated as source code during scans.

CodeQL JS: prevent scanning generated artifacts

Problem

Local CodeQL JS scans can fail if coverage/build artifacts exist on disk under frontend/ (example: a finding under frontend/coverage/lcov-report/...).

Plan

  • Ensure generated artifacts are not treated as source:
    • Confirm .gitignore excludes frontend/coverage/** and other build outputs.
  • Add a deterministic cleanup step in local CodeQL JS entrypoints:
    • Remove if present:
      • frontend/coverage/
      • frontend/dist/
      • playwright-report/
      • test-results/
      • coverage/ (root-level, if present)

Likely scripts involved (verify current wiring before editing):

Notes

  • .github/codeql/codeql-config.yml already has paths-ignore entries for several generated paths (e.g., frontend/coverage/**, frontend/dist/**, test-results/**). Cleanup is still recommended because it protects local runs even if a given invocation does not consistently apply a config file.

Trivy FS: exclude tool/cache databases from scan scope

Problem

Trivy can scan non-project directories and produce noise or scanner errors when it traverses:

  • local caches (.cache/, including Go module caches)
  • CodeQL databases (codeql-db-*)
  • agent outputs (codeql-agent-results/)

Plan

  • Update the local Trivy entrypoint to skip non-project directories using explicit --skip-dirs options.

Primary script:

Suggested skip set (keep explicit; no globs):

  • .cache/
  • codeql-db-go/
  • codeql-db-js/
  • my-codeql-db/
  • codeql-agent-results/
  • codeql-custom-queries-go/ (optional for noise/speed)
  • test-results/ (optional; only if it creates findings)

Keep local behavior CI-aligned

  • Ensure findings fail the scan without unnecessary noise:
    • Set --exit-code 1
    • Default severity threshold: CRITICAL,HIGH (allow override via TRIVY_SEVERITY)
  • Prefer skip-dirs for non-project content; use ignorefiles only for true false positives.

Repo hygiene follow-up (separate PR)

The repo root currently contains scan artifacts such as codeql-results-*.sarif and trivy-*.txt. Follow the repo structure guidance by moving these under test-results/ and/or adding appropriate .gitignore entries.

Reference in New Issue View Git Blame Copy Permalink