Charon/docs/plans/archive/codeql-local-hygiene.md

Local Scan Hygiene (CodeQL + Trivy)

This plan captures local scan-hygiene items that are not the SSRF remediation itself, but commonly cause CI-aligned local security tasks to fail due to generated artifacts or scanning scope.

Goal

• Keep local CI-aligned tasks deterministic and aligned with CI behavior.
• Prevent generated artifacts (coverage, dist outputs, tool DBs) from being treated as source code during scans.

CodeQL JS: prevent scanning generated artifacts

Problem

Local CodeQL JS scans can fail if coverage/build artifacts exist on disk under frontend/ (example: a finding under frontend/coverage/lcov-report/...).

Plan

• Ensure generated artifacts are not treated as source:
  • Confirm .gitignore excludes frontend/coverage/** and other build outputs.
• Add a deterministic cleanup step in local CodeQL JS entrypoints:
  • Remove if present:
    • frontend/coverage/
    • frontend/dist/
    • playwright-report/
    • test-results/
    • coverage/ (root-level, if present)

Likely scripts involved (verify current wiring before editing):

• scripts/pre-commit-hooks/codeql-js-scan.sh
• .github/skills/security-scan-codeql-scripts/run.sh

Notes

• .github/codeql/codeql-config.yml already has paths-ignore entries for several generated paths (e.g., frontend/coverage/**, frontend/dist/**, test-results/**). Cleanup is still recommended because it protects local runs even if a given invocation does not consistently apply a config file.

Trivy FS: exclude tool/cache databases from scan scope

Problem

Trivy can scan non-project directories and produce noise or scanner errors when it traverses:

• local caches (.cache/, including Go module caches)
• CodeQL databases (codeql-db-*)
• agent outputs (codeql-agent-results/)

Plan

• Update the local Trivy entrypoint to skip non-project directories using explicit --skip-dirs options.

Primary script:

• .github/skills/security-scan-trivy-scripts/run.sh

Suggested skip set (keep explicit; no globs):

• .cache/
• codeql-db-go/
• codeql-db-js/
• my-codeql-db/
• codeql-agent-results/
• codeql-custom-queries-go/ (optional for noise/speed)
• test-results/ (optional; only if it creates findings)

Keep local behavior CI-aligned

• Ensure findings fail the scan without unnecessary noise:
  • Set --exit-code 1
  • Default severity threshold: CRITICAL,HIGH (allow override via TRIVY_SEVERITY)
• Prefer skip-dirs for non-project content; use ignorefiles only for true false positives.

Repo hygiene follow-up (separate PR)

The repo root currently contains scan artifacts such as codeql-results-*.sarif and trivy-*.txt. Follow the repo structure guidance by moving these under test-results/ and/or adding appropriate .gitignore entries.