ci: extend code analysis (CodeQL actions + security-extended + actionlint)#1249
Merged
Conversation
Enables CodeQL scanning of GitHub Actions workflow files. Catches script-injection via untrusted inputs in run blocks, missing permissions, and similar security issues in CI definitions. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The default query suite focuses on high-precision findings. The security-extended suite adds queries with lower precision that still turn up real issues — broader coverage at the cost of more triage work. Easy to revert per-language via a matrix field if any one language becomes too noisy. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
actionlint catches GitHub Actions issues that CodeQL doesn't: deprecated syntax, typos in event/job/step keys, shellcheck on run: blocks, glob/regex mistakes in paths filters, etc. Complements the security-focused CodeQL actions extractor. Triggers only on changes under .github/workflows/, so it's near-free when the rest of the tree changes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three small commits extending CI code analysis coverage:
ci(codeql): add actions language— enables CodeQL scanning of GitHub Actions workflow files. Catches script-injection via untrusted inputs inrun:blocks, missing permissions, and similar workflow-security issues.ci(codeql): use security-extended query suite— switches from the default query suite tosecurity-extended, which adds lower-precision queries that still turn up real issues. Easy to scope per-language later if any one becomes too noisy.ci: add actionlint workflow— adds actionlint as a separate workflow that runs on changes under.github/workflows/. Catches what CodeQL doesn't: deprecated syntax, typos in event/job/step keys, shellcheck onrun:blocks, glob/regex mistakes.Test plan
actions)security-extendedget triaged separately🤖 Generated with Claude Code