From 4a70dc4f916f62145d6b728bb99b3170420c90c8 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Fri, 3 Jul 2026 18:25:11 +0000 Subject: [PATCH 1/6] ci: add CodeQL analysis for Python and GitHub Actions Enables CodeQL security scanning with the 'actions' language analyzer, which detects script injection, missing permissions, untrusted checkout, and other GitHub Actions security issues. Also includes Python analysis for code-level security findings. Co-Authored-By: AJ Steers --- .github/workflows/codeql.yml | 41 ++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..e6294db2d --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,41 @@ +name: "CodeQL" + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + - cron: "0 6 * * 1" + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + security-events: write + contents: read + actions: read + strategy: + fail-fast: false + matrix: + language: [python, actions] + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + queries: security-and-quality + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{ matrix.language }}" From d46b57b1a75d5e53fc05886daa13674a321ddb2f Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Fri, 3 Jul 2026 18:28:42 +0000 Subject: [PATCH 2/6] ci: add persist-credentials: false to checkout step Co-Authored-By: AJ Steers --- .github/workflows/codeql.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e6294db2d..52057b489 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -28,6 +28,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Initialize CodeQL uses: github/codeql-action/init@v3 From 5b05a61c272d31f6e0d11e40d3f7ccbeea527f76 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Sun, 5 Jul 2026 08:36:27 +0000 Subject: [PATCH 3/6] ci: rename workflow to codeql-vulnerability-checks and reformat matrix Co-Authored-By: AJ Steers --- .../{codeql.yml => codeql-vulnerability-checks.yml} | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) rename .github/workflows/{codeql.yml => codeql-vulnerability-checks.yml} (90%) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql-vulnerability-checks.yml similarity index 90% rename from .github/workflows/codeql.yml rename to .github/workflows/codeql-vulnerability-checks.yml index 52057b489..a3318179b 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql-vulnerability-checks.yml @@ -1,4 +1,4 @@ -name: "CodeQL" +name: "CodeQL Vulnerability Checks" on: push: @@ -24,7 +24,9 @@ jobs: strategy: fail-fast: false matrix: - language: [python, actions] + language: + - python + - actions steps: - name: Checkout repository uses: actions/checkout@v4 From 2963c579748c5be1829a4ca7c9cc1cbaca2ef08c Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Sun, 5 Jul 2026 08:38:49 +0000 Subject: [PATCH 4/6] ci: bump checkout to v5 and codeql-action to v4 Co-Authored-By: AJ Steers --- .github/workflows/codeql-vulnerability-checks.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql-vulnerability-checks.yml b/.github/workflows/codeql-vulnerability-checks.yml index a3318179b..6b3cf0f8d 100644 --- a/.github/workflows/codeql-vulnerability-checks.yml +++ b/.github/workflows/codeql-vulnerability-checks.yml @@ -29,17 +29,17 @@ jobs: - actions steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} queries: security-and-quality - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v4 with: category: "/language:${{ matrix.language }}" From 569198f0ced86a9184f55902c257f1d669fb4a3d Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Sun, 5 Jul 2026 08:43:00 +0000 Subject: [PATCH 5/6] ci: bump actions/checkout to v7 (latest) Co-Authored-By: AJ Steers --- .github/workflows/codeql-vulnerability-checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-vulnerability-checks.yml b/.github/workflows/codeql-vulnerability-checks.yml index 6b3cf0f8d..e387144c6 100644 --- a/.github/workflows/codeql-vulnerability-checks.yml +++ b/.github/workflows/codeql-vulnerability-checks.yml @@ -29,7 +29,7 @@ jobs: - actions steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v7 with: persist-credentials: false From 7626f1400bc5a316a5cc0c19026a883052aff7d3 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Sun, 5 Jul 2026 08:57:14 +0000 Subject: [PATCH 6/6] ci: add CodeQL config file and reference via config-file Co-Authored-By: AJ Steers --- .github/codeql/codeql-config.yml | 6 ++++++ .github/workflows/codeql-vulnerability-checks.yml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 .github/codeql/codeql-config.yml diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 000000000..83061d1cb --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,6 @@ +name: "CodeQL Config" + +# Run the extended "security-and-quality" query suite (a superset of the +# default security queries) for every analyzed language. +queries: + - uses: security-and-quality diff --git a/.github/workflows/codeql-vulnerability-checks.yml b/.github/workflows/codeql-vulnerability-checks.yml index e387144c6..e1e9ed64d 100644 --- a/.github/workflows/codeql-vulnerability-checks.yml +++ b/.github/workflows/codeql-vulnerability-checks.yml @@ -37,7 +37,7 @@ jobs: uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} - queries: security-and-quality + config-file: ./.github/codeql/codeql-config.yml - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4