CI: run CodeQL #540

Open

smelc wants to merge 1 commit from smelc/smelc/ci-run-codeql into main

pull from: smelc/smelc/ci-run-codeql

merge into: lix-community:main

lix-community:main

lix-community:npins-auto-update

Conversation 0 Commits 1 Files changed 2 +32

smelc commented 2025-05-09 12:41:38 +00:00 (Migrated from github.com)

Copy link

Context

I am experimenting with GitHub's CodeQL static analyzer and this project is a good target, because it manipulates user input (in URLs).

How to trust this PR

Look at the vulnerabilities found on my fork: https://github.com/smelc/nix-security-tracker/security/code-scanning IMHO most of the reports are good:

By default this check is non intrusive, because this new pipeline only blocks merging when a new error, critical, or high severity is found in code changed by the PR (see corresponding doc). As visible in the image above, all existing alerts are below this treshold.

If we want the check to forbid merging PRs on lower severities it is also possible: https://docs.github.com/en/enterprise-server@3.13/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#defining-the-alert-severities-that-cause-a-check-failure-for-a-pull-request, here (not in the branch protection rule, which is why I'm highlighting it here):

Note that I disabled analyzing src/website/shared/migrations as it seemed to me those files had been generated.

We'll also want to check this in the branch protection settings of the repo:

so that malicious users cannot turn CodeQL off/things don't get green if CodeQL is silent

Maintenance

I will be available to maintain this pipeline in the foreseeable future, so this shouldn't be an additional burden on the team. Maintaining this will be part of my learning path on CodeQL.

## Context I am experimenting with GitHub's [CodeQL](https://codeql.github.com/) static analyzer and this project is a good target, because it manipulates user input (in URLs). ## How to trust this PR Look at the vulnerabilities found on my fork: https://github.com/smelc/nix-security-tracker/security/code-scanning IMHO most of the reports are good:  By default this check is non intrusive, because this new pipeline only blocks merging when a new _error_, _critical_, or _high_ severity is found in code changed by the PR (see [corresponding doc](https://docs.github.com/en/enterprise-server@3.13/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests#code-scanning-results-check-failures)). As visible in the image above, all existing alerts are below this treshold. If we want the check to forbid merging PRs on lower severities it is also possible: https://docs.github.com/en/enterprise-server@3.13/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#defining-the-alert-severities-that-cause-a-check-failure-for-a-pull-request, here (not in the branch protection rule, which is why I'm highlighting it here):  Note that I disabled analyzing `src/website/shared/migrations` as it seemed to me those files had been generated. We'll also want to check this in the branch protection settings of the repo:  so that malicious users cannot turn CodeQL off/things don't get green if CodeQL is silent ## Maintenance I will be available to maintain this pipeline in the foreseeable future, so this shouldn't be an additional burden on the team. Maintaining this will be part of my learning path on CodeQL.

❤️ 1

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin smelc/smelc/ci-run-codeql:smelc/smelc/ci-run-codeql

git switch smelc/smelc/ci-run-codeql

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch main

git merge --no-ff smelc/smelc/ci-run-codeql

git switch smelc/smelc/ci-run-codeql

git rebase main

git switch main

git merge --ff-only smelc/smelc/ci-run-codeql

git switch smelc/smelc/ci-run-codeql

git rebase main

git switch main

git merge --no-ff smelc/smelc/ci-run-codeql

git switch main

git merge --squash smelc/smelc/ci-run-codeql

git switch main

git merge --ff-only smelc/smelc/ci-run-codeql

git switch main

git merge smelc/smelc/ci-run-codeql

git push origin main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

automation

  

backend

something the web server needs to provide the frontend with

  

bug

Something isn't working

  

contributor experience

  

data

something about quality or quantity of ingested data

  

deployment

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

nice to have

Nice to have, but not necessary for the time being

  

notifications

  

package maintainer

user story for package maintainers

  

performance

  

skin

Anything related to the visual presentation

  

tech debt

Activities that reduce tech debt

  

user story

description or implementation of a workflow

No labels

automation

backend

bug

contributor experience

data

deployment

documentation

duplicate

good first issue

help wanted

nice to have

notifications

package maintainer

performance

skin

tech debt

user story

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: lix-community/nix-security-tracker#540

No description provided.