ci: exclude vendored/build-time tooling from CodeQL scanning#94
Merged
Conversation
Wire the QZP reusable-codeql workflow's codeql_config_file input to a new .github/codeql/codeql-config.yml that paths-ignores generated/vendored code: - backend/venv (third-party Python venv; already git-ignored + purged in #78) - frontend/webcoder_ui/config & scripts (Create React App ejected build-time tooling; paths are developer/CI-controlled, not attacker-reachable) Prevents build-tooling/vendored false positives from re-entering the active CodeQL series.
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
…input) fbb2255 predates the codeql_config_file workflow_call input; passing it caused a CodeQL startup_failure. b950330 (current QZP main) introduces the input.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Wires the QZP reusable CodeQL workflow's
codeql_config_fileinput to a new.github/codeql/codeql-config.ymlthatpaths-ignores generated/vendored/build-time code.Why
The active CodeQL series should never treat vendored or ejected build tooling as application source:
backend/venv— generated Python virtualenv (DRF static JS etc.); already git-ignored and purged from VCS in chore: purge committed backend/venv from version control (coverage + static-analysis hygiene) #78. Defensive so a stray local venv cannot re-pollute scans.frontend/webcoder_ui/config&frontend/webcoder_ui/scripts— Create React App (react-scripts) ejected boilerplate; file paths derive from developer/CI env (NODE_ENV, SSL_CRT_FILE, .env), not attacker-reachable input.Context
Implements the 'exclude vendored from scanning, don't edit it' remediation for the remaining build-tooling/vendored CodeQL findings. The 20 historical open alerts belong to a retired repo-local CodeQL series (frozen at 73c33c8, 2026-03-30) that the current QZP series cannot auto-close; those are being dismissed separately with per-alert justification (removed code / already-remediated workflow permissions / CRA build-tooling false positives).
Test plan