From f9bec8a1f0f0972644c2239c9f56dbece5f1820c Mon Sep 17 00:00:00 2001 From: Prekzursil Date: Sat, 27 Jun 2026 04:10:51 +0300 Subject: [PATCH 1/2] ci: exclude vendored/build-time tooling from CodeQL scanning Wire the QZP reusable-codeql workflow's codeql_config_file input to a new .github/codeql/codeql-config.yml that paths-ignores generated/vendored code: - backend/venv (third-party Python venv; already git-ignored + purged in #78) - frontend/webcoder_ui/config & scripts (Create React App ejected build-time tooling; paths are developer/CI-controlled, not attacker-reachable) Prevents build-tooling/vendored false positives from re-entering the active CodeQL series. --- .github/codeql/codeql-config.yml | 23 +++++++++++++++++++++++ .github/workflows/codeql.yml | 1 + 2 files changed, 24 insertions(+) create mode 100644 .github/codeql/codeql-config.yml diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 00000000..92111f88 --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,23 @@ +name: "webcoder CodeQL config" + +# Exclude vendored / generated / build-time tooling from CodeQL analysis. +# +# Rationale: +# * backend/venv - generated Python virtualenv (third-party +# packages, e.g. Django REST Framework static +# JS). Already git-ignored and purged from VCS +# in #78; excluded defensively so a stray local +# venv can never re-pollute the scan. +# * frontend/webcoder_ui/config +# * frontend/webcoder_ui/scripts +# - Create React App (react-scripts) *ejected* +# boilerplate. These are build-time Node tools +# whose file paths come from developer/CI env +# vars (NODE_ENV, SSL_CRT_FILE, .env files), +# not from attacker-reachable input. Treating +# them as application source produces +# build-tooling false positives. +paths-ignore: + - backend/venv + - frontend/webcoder_ui/config + - frontend/webcoder_ui/scripts diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 050f8891..2ed0ccc0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -29,3 +29,4 @@ jobs: sha: ${{ github.event.pull_request.head.sha || github.sha }} platform_repository: Prekzursil/quality-zero-platform platform_ref: main + codeql_config_file: ./.github/codeql/codeql-config.yml From 405c0688403c7c830f9812ec411c24100b856ad5 Mon Sep 17 00:00:00 2001 From: Prekzursil Date: Sat, 27 Jun 2026 04:17:19 +0300 Subject: [PATCH 2/2] ci: bump QZP reusable-codeql pin to b950330 (adds codeql_config_file input) fbb2255 predates the codeql_config_file workflow_call input; passing it caused a CodeQL startup_failure. b950330 (current QZP main) introduces the input. --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 2ed0ccc0..1c230a6d 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -22,7 +22,7 @@ jobs: actions: read contents: read security-events: write - uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-codeql.yml@fbb2255753788b93cc79ec917c764d0fc4f52146 + uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-codeql.yml@b95033002271d49cf6526e19baba506fd2419c07 with: repo_slug: ${{ github.repository }} event_name: ${{ github.event_name }}