diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 00000000..92111f88 --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,23 @@ +name: "webcoder CodeQL config" + +# Exclude vendored / generated / build-time tooling from CodeQL analysis. +# +# Rationale: +# * backend/venv - generated Python virtualenv (third-party +# packages, e.g. Django REST Framework static +# JS). Already git-ignored and purged from VCS +# in #78; excluded defensively so a stray local +# venv can never re-pollute the scan. +# * frontend/webcoder_ui/config +# * frontend/webcoder_ui/scripts +# - Create React App (react-scripts) *ejected* +# boilerplate. These are build-time Node tools +# whose file paths come from developer/CI env +# vars (NODE_ENV, SSL_CRT_FILE, .env files), +# not from attacker-reachable input. Treating +# them as application source produces +# build-tooling false positives. +paths-ignore: + - backend/venv + - frontend/webcoder_ui/config + - frontend/webcoder_ui/scripts diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 050f8891..1c230a6d 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -22,10 +22,11 @@ jobs: actions: read contents: read security-events: write - uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-codeql.yml@fbb2255753788b93cc79ec917c764d0fc4f52146 + uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-codeql.yml@b95033002271d49cf6526e19baba506fd2419c07 with: repo_slug: ${{ github.repository }} event_name: ${{ github.event_name }} sha: ${{ github.event.pull_request.head.sha || github.sha }} platform_repository: Prekzursil/quality-zero-platform platform_ref: main + codeql_config_file: ./.github/codeql/codeql-config.yml