ci: add CodeQL analysis for Python and GitHub Actions#1053
ci: add CodeQL analysis for Python and GitHub Actions#1053Aaron ("AJ") Steers (aaronsteers) wants to merge 2 commits into
Conversation
Enables CodeQL security scanning with python and actions language analyzers using the security-and-quality query suite. The actions analyzer detects workflow vulnerabilities like script injection, missing permissions, and untrusted checkout. Co-Authored-By: AJ Steers <aj@airbyte.io>
Co-Authored-By: AJ Steers <aj@airbyte.io>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
👋 Greetings, Airbyte Team Member!Here are some helpful tips and reminders for your convenience. 💡 Show Tips and TricksTesting This PyAirbyte VersionYou can test this version of PyAirbyte using the following: # Run PyAirbyte CLI from this branch:
uvx --from 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1783103177-add-codeql' pyairbyte --help
# Install PyAirbyte from this branch for development:
pip install 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1783103177-add-codeql'PR Slash CommandsAirbyte Maintainers can execute the following slash commands on your PR:
📚 Show Repo GuidanceHelpful ResourcesCommunity SupportQuestions? Join the #pyairbyte channel in our Slack workspace. |
📝 WalkthroughWalkthroughAdds a new GitHub Actions workflow file ChangesCodeQL Workflow Setup
Estimated code review effort: 1 (Trivial) | ~5 minutes Related Issues: None specified. Related PRs: None specified. Suggested labels: ci, github-actions, security Suggested reviewers: Would it make sense to loop in someone from the security or DevOps side who owns CI configs, wdyt? PoemA rabbit hops through workflows new, 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/codeql.yml (1)
30-41: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winCould you pin
actions/checkoutandgithub/codeql-actionto reviewed SHAs, and bump CodeQL from@v3to@v4? In.github/workflows/codeql.yml, the workflow still relies on mutable major tags; pinning them would better match the supply-chain hardening this job is meant to provide.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/codeql.yml around lines 30 - 41, The CodeQL workflow is still using mutable action tags, so update the checkout and CodeQL steps in the workflow to reference reviewed commit SHAs instead of version tags. Locate the `actions/checkout` usage and the `github/codeql-action/init` and `github/codeql-action/analyze` steps, pin each to a reviewed SHA, and bump the CodeQL action reference from v3 to v4 while keeping the existing workflow behavior unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/codeql.yml:
- Around line 30-41: The CodeQL workflow is still using mutable action tags, so
update the checkout and CodeQL steps in the workflow to reference reviewed
commit SHAs instead of version tags. Locate the `actions/checkout` usage and the
`github/codeql-action/init` and `github/codeql-action/analyze` steps, pin each
to a reviewed SHA, and bump the CodeQL action reference from v3 to v4 while
keeping the existing workflow behavior unchanged.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 9688765f-31ae-4fa3-82ec-8968c2e4ecad
📒 Files selected for processing (1)
.github/workflows/codeql.yml
Code Coverage OverviewLanguages: Python Python / code-coverage/pytest-fastThe overall coverage in the branch is 67%. The coverage in the branch is 65%. Show a code coverage summary of the most impacted files.
Python / code-coverage/pytest-no-credsThe overall coverage in the branch is 67%. The coverage in the branch is 65%. Show a code coverage summary of the most impacted files.
Python / code-coverage/pytestThe overall coverage in the branch is 72%. The coverage in the branch is 71%. Show a code coverage summary of the most impacted files.
Updated |
Summary
Adds CodeQL security scanning with
pythonandactionslanguage analyzers using thesecurity-and-qualityquery suite.The
actionsanalyzer detects GitHub Actions-specific vulnerabilities like script injection (actions/dangerous-action-command), missing permissions blocks, and untrusted checkout.Runs on push/PR to
mainand weekly on Monday.Link to Devin session: https://app.devin.ai/sessions/fe5d63b3474f4fe6990b6f8f7a47f8ed
Requested by: Aaron ("AJ") Steers (@aaronsteers)
Summary by CodeRabbit