From dddea3a48f45fe54bed575e011eb3ff967d1b9e9 Mon Sep 17 00:00:00 2001 From: YeagerAI-Bulat Date: Fri, 29 Nov 2024 19:28:11 +0700 Subject: [PATCH 1/4] feat(security): added codeql scanning --- .github/ workflows/codeql.yml | 70 ++++++++++++++++++++++++++++ .github/codeql/typescript-config.yml | 24 ++++++++++ 2 files changed, 94 insertions(+) create mode 100644 .github/ workflows/codeql.yml create mode 100644 .github/codeql/typescript-config.yml diff --git a/.github/ workflows/codeql.yml b/.github/ workflows/codeql.yml new file mode 100644 index 0000000..35fe351 --- /dev/null +++ b/.github/ workflows/codeql.yml @@ -0,0 +1,70 @@ +name: "CodeQL security scanning" + +on: + pull_request: + types: [opened, reopened, synchronize, ready_for_review] + schedule: + - cron: '0 0 * * 0' # Run weekly on Sunday at midnight + workflow_dispatch: + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + timeout-minutes: 60 + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'javascript-typescript' ] + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + queries: security-extended,security-and-quality + config-file: ./.github/codeql/typescript-config.yml + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '20' + cache: 'npm' + + # Explicitly build the frontend projects to ensure CodeQL can analyze them + - name: Install Dependencies for UI Wizard + working-directory: ./ui-wizard + run: npm install + + - name: Install Dependencies for Explorer + working-directory: ./explorer + run: npm install + + - name: Install Dependencies for Bridge + working-directory: ./bridge + run: npm install + + - name: Build UI Wizard + working-directory: ./ui-wizard + run: npm run dev + + - name: Build Explorer + working-directory: ./explorer + run: npm run dev + + - name: Build Bridge + working-directory: ./bridge + run: npm run dev + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{ matrix.language }}" \ No newline at end of file diff --git a/.github/codeql/typescript-config.yml b/.github/codeql/typescript-config.yml new file mode 100644 index 0000000..e704f32 --- /dev/null +++ b/.github/codeql/typescript-config.yml @@ -0,0 +1,24 @@ +name: "TypeScript and Vue.js Configuration" + +queries: + - uses: security-extended + - uses: security-and-quality + +paths: + - ui-wizard + - explorer +paths-ignore: + - '**/node_modules' + - '**/dist' + - '**/build' + - '**/*.test.ts' + - '**/*.spec.ts' + - '**/test' + - '**/tests' + - '**/__tests__' + +query-filters: + - exclude: + problem.severity: + - note + - recommendation From 11890c7eba85a7f41c3b916170fb9c91dd20bfc1 Mon Sep 17 00:00:00 2001 From: YeagerAI-Bulat Date: Fri, 29 Nov 2024 19:32:25 +0700 Subject: [PATCH 2/4] ci --- .github/ workflows/codeql.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/ workflows/codeql.yml b/.github/ workflows/codeql.yml index 35fe351..8bcf3fd 100644 --- a/.github/ workflows/codeql.yml +++ b/.github/ workflows/codeql.yml @@ -1,6 +1,8 @@ name: "CodeQL security scanning" on: + push: + branches: main pull_request: types: [opened, reopened, synchronize, ready_for_review] schedule: From f6890cb58ab58f59b6968198f7bc54fa34a1c2c4 Mon Sep 17 00:00:00 2001 From: YeagerAI-Bulat Date: Fri, 29 Nov 2024 19:41:37 +0700 Subject: [PATCH 3/4] fix --- .github/ workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ workflows/codeql.yml b/.github/ workflows/codeql.yml index 8bcf3fd..3ec7363 100644 --- a/.github/ workflows/codeql.yml +++ b/.github/ workflows/codeql.yml @@ -2,7 +2,7 @@ name: "CodeQL security scanning" on: push: - branches: main + branches: main, codeql # TODO: remove codeql branch after testing pull_request: types: [opened, reopened, synchronize, ready_for_review] schedule: From c2693a6ee58261765b505f0633933d5efd1f3e41 Mon Sep 17 00:00:00 2001 From: YeagerAI-Bulat Date: Fri, 29 Nov 2024 19:55:42 +0700 Subject: [PATCH 4/4] test --- .github/ workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ workflows/codeql.yml b/.github/ workflows/codeql.yml index 3ec7363..2778192 100644 --- a/.github/ workflows/codeql.yml +++ b/.github/ workflows/codeql.yml @@ -2,7 +2,7 @@ name: "CodeQL security scanning" on: push: - branches: main, codeql # TODO: remove codeql branch after testing + # branches: main, codeql # TODO: remove codeql branch after testing pull_request: types: [opened, reopened, synchronize, ready_for_review] schedule: