akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 14 Packages Projects Releases Wiki Activity
Files
441864be953a8e7aa8e206c4e6b0a1e8ef9ce5fb
Charon/docs/plans/archive/codeql-local-hygiene.md
GitHub Actions 27c252600a chore: git cache cleanup
2026-03-04 18:34:49 +00:00

75 lines
2.9 KiB
Markdown
Raw Blame History

# Local Scan Hygiene (CodeQL + Trivy)
This plan captures local scan-hygiene items that are not the SSRF remediation itself, but commonly cause CI-aligned local security tasks to fail due to generated artifacts or scanning scope.
## Goal
- Keep local CI-aligned tasks deterministic and aligned with CI behavior.
- Prevent generated artifacts (coverage, dist outputs, tool DBs) from being treated as source code during scans.
## CodeQL JS: prevent scanning generated artifacts
### Problem
Local CodeQL JS scans can fail if coverage/build artifacts exist on disk under `frontend/` (example: a finding under `frontend/coverage/lcov-report/...`).
### Plan
- Ensure generated artifacts are not treated as source:
- Confirm `.gitignore` excludes `frontend/coverage/**` and other build outputs.
- Add a deterministic cleanup step in local CodeQL JS entrypoints:
- Remove if present:
- `frontend/coverage/`
- `frontend/dist/`
- `playwright-report/`
- `test-results/`
- `coverage/` (root-level, if present)
Likely scripts involved (verify current wiring before editing):
- [scripts/pre-commit-hooks/codeql-js-scan.sh](scripts/pre-commit-hooks/codeql-js-scan.sh)
- [.github/skills/security-scan-codeql-scripts/run.sh](.github/skills/security-scan-codeql-scripts/run.sh)
### Notes
- `.github/codeql/codeql-config.yml` already has `paths-ignore` entries for several generated paths (e.g., `frontend/coverage/**`, `frontend/dist/**`, `test-results/**`). Cleanup is still recommended because it protects local runs even if a given invocation does not consistently apply a config file.
## Trivy FS: exclude tool/cache databases from scan scope
### Problem
Trivy can scan non-project directories and produce noise or scanner errors when it traverses:
- local caches (`.cache/`, including Go module caches)
- CodeQL databases (`codeql-db-*`)
- agent outputs (`codeql-agent-results/`)
### Plan
- Update the local Trivy entrypoint to skip non-project directories using explicit `--skip-dirs` options.
Primary script:
- [.github/skills/security-scan-trivy-scripts/run.sh](.github/skills/security-scan-trivy-scripts/run.sh)
Suggested skip set (keep explicit; no globs):
- `.cache/`
- `codeql-db-go/`
- `codeql-db-js/`
- `my-codeql-db/`
- `codeql-agent-results/`
- `codeql-custom-queries-go/` (optional for noise/speed)
- `test-results/` (optional; only if it creates findings)
### Keep local behavior CI-aligned
- Ensure findings fail the scan without unnecessary noise:
- Set `--exit-code 1`
- Default severity threshold: `CRITICAL,HIGH` (allow override via `TRIVY_SEVERITY`)
- Prefer skip-dirs for non-project content; use ignorefiles only for true false positives.
## Repo hygiene follow-up (separate PR)
The repo root currently contains scan artifacts such as `codeql-results-*.sarif` and `trivy-*.txt`. Follow the repo structure guidance by moving these under `test-results/` and/or adding appropriate `.gitignore` entries.
Reference in New Issue View Git Blame Copy Permalink