Skip to content

ci: remove CodeQL code-scanning workflow#27

Merged
bdimitrov-netzine merged 1 commit into
mainfrom
ci/remove-codeql
Jul 10, 2026
Merged

ci: remove CodeQL code-scanning workflow#27
bdimitrov-netzine merged 1 commit into
mainfrom
ci/remove-codeql

Conversation

@bdimitrov-netzine

Copy link
Copy Markdown
Contributor

Removes .github/workflows/codeql.yml (the weekly + push-to-main CodeQL Rust analysis).

After merge, no new CodeQL runs or alerts will be produced from this workflow.

Heads up: this only removes the advanced (workflow-based) setup. If GitHub's default CodeQL setup is enabled for the repo, or code-scanning is required by a branch-protection / org security policy, that must be disabled separately under Settings → Code security.

Drop the weekly/push-to-main CodeQL Rust analysis. Removing it stops the
scheduled + on-push runs and no new alerts will be produced going forward.

Note: this only removes the advanced (workflow-based) setup. If GitHub's
'default' CodeQL setup is also enabled for the repo, or code-scanning is
required by a branch-protection/org policy, that must be turned off in
Settings > Code security separately.
@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Claude finished @bdimitrov-netzine's task in 54s —— View job


PR Review

  • Gather context
  • Review deleted workflow file
  • Check for other CodeQL references in the repo
  • Post review findings

Summary

This PR cleanly removes the CodeQL workflow. The deletion is technically correct — no other files in the repo reference CodeQL, so this is a pure, self-contained removal with no dangling references.

What's being lost

The deleted workflow was well-crafted:

  • security-extended queries — broader SAST coverage than the default suite, catching a wider class of vulnerabilities in Rust code
  • Pinned action SHAs — supply-chain-safe action references (e.g., actions/checkout@de0fac2e..., github/codeql-action/init@54f647b7...)
  • Minimal permissionscontents: read at the workflow level, security-events: write scoped only to the job that needs it
  • Thoughtful path exclusions — test dirs, benches, examples, and crates/testing/** excluded from analysis to reduce noise and focus alerts on shipped code
  • Appropriate trigger cadence — push-to-main + weekly schedule avoided the ~40 min runtime cost on every PR

After merge, the GitHub Security → Code Scanning tab will retain historical alerts but no new findings will be generated from this workflow.

Considerations

  1. Security coverage gap: This removes the only automated SAST tool on the codebase. If no replacement is planned (e.g., cargo-audit, cargo-geiger, or another SAST), the repo loses proactive vulnerability detection for the Rust workspace.

  2. PR body is accurate — the note about GitHub's default CodeQL setup needing separate disablement under Settings → Code security is correct and important. If default setup is on, CodeQL will still run (just with language autodetection, which previously misidentified this Rust repo as Java — the reason this advanced setup existed in the first place).

  3. Open alerts: Any existing open CodeQL alerts in the Code Scanning tab won't be auto-dismissed after removal. They'll need to be manually dismissed or will persist until the default setup (if active) runs and processes them.

Verdict

The change is technically sound and complete. The main question is intentionality around security coverage: is there a replacement SAST strategy, or is this a deliberate decision to drop automated code scanning? If the latter, documenting that rationale (e.g., in a commit message or team decision log) would be worthwhile.

No blocking issues — approve if the team is intentionally moving away from CodeQL.

@github-actions

Copy link
Copy Markdown
Contributor

Security Scan - Code

Severity: HIGH, CRITICAL

No vulnerabilities found

View scan results

Report Summary

┌─────────────────────────────────────────────┬────────────┬─────────────────┬───────────────────┐
│                   Target                    │    Type    │ Vulnerabilities │ Misconfigurations │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ Cargo.lock                                  │   cargo    │        0        │         -         │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ crates/testing/fuzz-targets/Cargo.lock      │   cargo    │        0        │         -         │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ crates/testing/fuzz-targets/fuzz/Cargo.lock │   cargo    │        0        │         -         │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ etc/state-sum/Cargo.lock                    │   cargo    │        0        │         -         │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ etc/tps/package-lock.json                   │    npm     │        0        │         -         │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ rayls-contracts/package-lock.json           │    npm     │        0        │         -         │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ etc/chaos-network/Dockerfile                │ dockerfile │        -        │         0         │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ etc/docker-network/Dockerfile               │ dockerfile │        -        │         0         │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ etc/docker-replay/Dockerfile                │ dockerfile │        -        │         0         │
└─────────────────────────────────────────────┴────────────┴─────────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

@bdimitrov-netzine bdimitrov-netzine merged commit 9f4409e into main Jul 10, 2026
11 of 15 checks passed
@bdimitrov-netzine bdimitrov-netzine deleted the ci/remove-codeql branch July 10, 2026 17:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants