akanealw
eec8c28fb3
Some checks failed
Go Benchmark / Performance Regression Check (push) Has been cancelled
Cerberus Integration / Cerberus Security Stack Integration (push) Has been cancelled
Upload Coverage to Codecov / Backend Codecov Upload (push) Has been cancelled
Upload Coverage to Codecov / Frontend Codecov Upload (push) Has been cancelled
CodeQL - Analyze / CodeQL analysis (go) (push) Has been cancelled
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Has been cancelled
CrowdSec Integration / CrowdSec Bouncer Integration (push) Has been cancelled
Docker Build, Publish & Test / build-and-push (push) Has been cancelled
Quality Checks / Auth Route Protection Contract (push) Has been cancelled
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Has been cancelled
Quality Checks / Backend (Go) (push) Has been cancelled
Quality Checks / Frontend (React) (push) Has been cancelled
Rate Limit integration / Rate Limiting Integration (push) Has been cancelled
Security Scan (PR) / Trivy Binary Scan (push) Has been cancelled
Supply Chain Verification (PR) / Verify Supply Chain (push) Has been cancelled
WAF integration / Coraza WAF Integration (push) Has been cancelled
Docker Build, Publish & Test / Security Scan PR Image (push) Has been cancelled
2.8 KiB
Executable File
2.8 KiB
Executable File
PR 718 CodeQL Origin Map
Date: 2026-02-18 Source PR: https://github.com/Wikid82/Charon/pull/718
Scope
- Mapped all high severity CodeQL alerts from PR 718 (GitHub API
code-scanning/alerts?pr=718&state=open). - For each alert, traced
path:lineto introducing commit viagit blame. - Classified each introducing commit as:
on_main=yes: already reachable fromorigin/mainon_main=no: not reachable fromorigin/main(arrives via promotion PR range)
Results
- High severity alerts mapped: 67
on_main=yes: 0on_main=no: 67
Rule distribution (high only)
go/log-injection: 58js/regex/missing-regexp-anchor: 6js/insecure-temporary-file: 3
Dominant introducing commits
3169b051561c1a380a09ba086c81d48b4d0bf0ba→ 61 alerts- Subject:
fix: skip incomplete system log viewer tests
- Subject:
a14f6ee41f4ba9718909471a99e7ea8876590954→ 3 alerts- Subject:
fix: add refresh token endpoint to authentication routes
- Subject:
d0334ddd40a54262689283689bff19560458e358→ 1 alert- Subject:
fix: enhance backup service to support restoration from WAL files and add corresponding tests
- Subject:
a44530a682de5ace9e1f29b9b3b4fdf296f1bed2→ 1 alert- Subject:
fix: change Caddy config reload from async to sync for deterministic applied state
- Subject:
5a46ef4219d0bab6f7f951c6d690d3ad22c700c2→ 1 alert- Subject:
fix: include invite URL in user invitation response and update related tests
- Subject:
Representative mapped alerts
1119js/regex/missing-regexp-anchorattests/tasks/import-caddyfile.spec.ts:324- commit:
3169b051561c1a380a09ba086c81d48b4d0bf0ba(on_main=no)
- commit:
1112js/insecure-temporary-fileattests/fixtures/auth-fixtures.ts:181- commit:
a14f6ee41f4ba9718909471a99e7ea8876590954(on_main=no)
- commit:
1109go/log-injectionatbackend/internal/services/uptime_service.go:1090- commit:
3169b051561c1a380a09ba086c81d48b4d0bf0ba(on_main=no)
- commit:
1064go/log-injectionatbackend/internal/api/handlers/user_handler.go:545- commit:
5a46ef4219d0bab6f7f951c6d690d3ad22c700c2(on_main=no)
- commit:
Interpretation
- For high alerts, this mapping indicates they are tied to commits not yet on
mainand now being introduced together via the very large promotion range. - This does not imply all were authored in PR 718; it means PR 718 is the first main-targeting integration point where these commits are entering
mainand being classified in that context.
Important note on “CodeQL comments only on PRs to main?”
- The workflow in this branch (
.github/workflows/codeql.yml) is configured forpull_requestonmain,nightly, anddevelopment. - CodeQL itself does not rely on PR comments for enforcement; annotations/check results depend on workflow trigger execution and default-branch security baseline context.