Skip to content

ci: add CodeQL analysis for Python and GitHub Actions#1065

Open
Aaron ("AJ") Steers (aaronsteers) wants to merge 6 commits into
mainfrom
devin/1783103098-add-codeql-actions
Open

ci: add CodeQL analysis for Python and GitHub Actions#1065
Aaron ("AJ") Steers (aaronsteers) wants to merge 6 commits into
mainfrom
devin/1783103098-add-codeql-actions

Conversation

@aaronsteers

@aaronsteers Aaron ("AJ") Steers (aaronsteers) commented Jul 3, 2026

Copy link
Copy Markdown
Member

Summary

Adds CodeQL security scanning with both python and actions language analyzers using the security-and-quality query suite.

The actions analyzer detects GitHub Actions-specific vulnerabilities like script injection (actions/dangerous-action-command), missing permissions blocks, and untrusted checkout — the same class of vulnerability we just fixed in #1064. Having this enabled would have caught that issue automatically.

Runs on push/PR to main and weekly on Monday.

Link to Devin session: https://app.devin.ai/sessions/fe5d63b3474f4fe6990b6f8f7a47f8ed
Requested by: Aaron ("AJ") Steers (@aaronsteers)

Summary by CodeRabbit

  • New Features
    • Added automated CodeQL security scanning for the repository.
    • Scans now run on main-branch pushes, pull requests to main, and on a weekly schedule.
    • Analysis covers both Python and GitHub Actions code with organized reporting and safer run scheduling.

Enables CodeQL security scanning with the 'actions' language analyzer,
which detects script injection, missing permissions, untrusted checkout,
and other GitHub Actions security issues.

Also includes Python analysis for code-level security findings.

Co-Authored-By: AJ Steers <aj@airbyte.io>
@devin-ai-integration

Copy link
Copy Markdown
Contributor

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

💡 Show Tips and Tricks

Testing This CDK Version

You can test this version of the CDK using the following:

# Run the CLI from this branch:
uvx 'git+https://github.com/airbytehq/airbyte-python-cdk.git@devin/1783103098-add-codeql-actions#egg=airbyte-python-cdk[dev]' --help

# Update a connector to use the CDK from this branch ref:
cd airbyte-integrations/connectors/source-example
poe use-cdk-branch devin/1783103098-add-codeql-actions

PR Slash Commands

Airbyte Maintainers can execute the following slash commands on your PR:

  • /autofix - Fixes most formatting and linting issues
  • /poetry-lock - Updates poetry.lock file
  • /test - Runs connector tests with the updated CDK
  • /prerelease - Triggers a prerelease publish with default arguments
  • /poe build - Regenerate git-committed build artifacts, such as the pydantic models which are generated from the manifest JSON schema in YAML.
  • /poe <command> - Runs any poe command in the CDK environment
📚 Show Repo Guidance

Helpful Resources

📝 Edit this welcome message.

@devin-ai-integration devin-ai-integration Bot marked this pull request as ready for review July 3, 2026 18:26

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

Open in Devin Review

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@devin-ai-integration[bot], you've reached your PR review limit, so we couldn't start this review.

Next review available in: 41 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 0907b371-e195-4a35-bd78-739c6f70ad91

📥 Commits

Reviewing files that changed from the base of the PR and between 4a70dc4 and 7626f14.

📒 Files selected for processing (2)
  • .github/codeql/codeql-config.yml
  • .github/workflows/codeql-vulnerability-checks.yml
📝 Walkthrough

Walkthrough

This PR adds a new GitHub Actions workflow, "CodeQL", triggered on pushes to main, pull requests to main, and a weekly cron. It runs a matrix analysis over python and actions languages using github/codeql-action init and analyze steps with security-and-quality queries.

Changes

CodeQL Workflow Setup

Layer / File(s) Summary
Workflow triggers, job, and analysis steps
.github/workflows/codeql.yml
Adds triggers (push/PR to main, weekly cron), concurrency control, an analyze job with a language matrix (python, actions), and steps to checkout, initialize, and run CodeQL analysis with security-and-quality queries.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Related issues: None referenced in the provided context.

Related PRs: None referenced in the provided context.

Suggested labels: ci, github-actions, security

Suggested reviewers: Could a maintainer familiar with the CI/CD setup take a look at the matrix languages and timeout value — do they seem right for this repo's size, wdyt?

🐰 A poem for the occasion

A rabbit hops through workflows new,
CodeQL scans for bugs to chew,
Python and actions, side by side,
Weekly checks, and PRs too—
Security-and-quality, our loyal guide! 🥕

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding CodeQL analysis for Python and GitHub Actions.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch devin/1783103098-add-codeql-actions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
.github/workflows/codeql.yml (1)

30-30: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Consider pinning actions to a commit SHA instead of a mutable tag?

actions/checkout@v4, github/codeql-action/init@v3, and analyze@v3 are all referenced by mutable major-version tags. For a security-scanning workflow in particular, pinning to a full commit SHA (with a version comment) hardens against tag-repointing supply-chain attacks. wdyt?

Also applies to: 33-33, 39-39

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql.yml at line 30, The workflow currently uses mutable
action tags for actions/checkout, github/codeql-action/init, and
github/codeql-action/analyze, which should be hardened by pinning each action to
a full commit SHA. Update the CodeQL workflow entries to reference immutable
SHAs and keep the existing version comments for readability. Use the action
identifiers checkout, init, and analyze in the workflow to locate and replace
the tagged references consistently.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/codeql.yml:
- Around line 29-30: The checkout step in the workflow currently uses
actions/checkout@v4 with default credential persistence, which can leave the
GitHub token in the local git config. Update the existing Checkout repository
step to disable persisted credentials by setting persist-credentials to false on
actions/checkout@v4, since the workflow does not need to reuse the token after
checkout.

---

Nitpick comments:
In @.github/workflows/codeql.yml:
- Line 30: The workflow currently uses mutable action tags for actions/checkout,
github/codeql-action/init, and github/codeql-action/analyze, which should be
hardened by pinning each action to a full commit SHA. Update the CodeQL workflow
entries to reference immutable SHAs and keep the existing version comments for
readability. Use the action identifiers checkout, init, and analyze in the
workflow to locate and replace the tagged references consistently.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 6456465f-2e7e-4329-b30f-8b260f54826e

📥 Commits

Reviewing files that changed from the base of the PR and between 53785b6 and 4a70dc4.

📒 Files selected for processing (1)
  • .github/workflows/codeql.yml

Comment thread .github/workflows/codeql-vulnerability-checks.yml Outdated
Co-Authored-By: AJ Steers <aj@airbyte.io>
Copilot AI review requested due to automatic review settings July 3, 2026 18:28
@aaronsteers Aaron ("AJ") Steers (aaronsteers) removed the request for review from Copilot July 3, 2026 18:28
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

PyTest Results (Fast)

4 123 tests  ±0   4 111 ✅ ±0   7m 43s ⏱️ +7s
    1 suites ±0      12 💤 ±0 
    1 files   ±0       0 ❌ ±0 

Results for commit 7626f14. ± Comparison against base commit 53785b6.

♻️ This comment has been updated with latest results.

Comment thread .github/workflows/codeql.yml Outdated
Comment thread .github/workflows/codeql.yml Outdated
Copilot AI review requested due to automatic review settings July 5, 2026 08:36
@aaronsteers Aaron ("AJ") Steers (aaronsteers) removed the request for review from Copilot July 5, 2026 08:36
Co-Authored-By: AJ Steers <aj@airbyte.io>
Copilot AI review requested due to automatic review settings July 5, 2026 08:38
@aaronsteers Aaron ("AJ") Steers (aaronsteers) removed the request for review from Copilot July 5, 2026 08:38
Co-Authored-By: AJ Steers <aj@airbyte.io>
Copilot AI review requested due to automatic review settings July 5, 2026 08:43
@aaronsteers Aaron ("AJ") Steers (aaronsteers) removed the request for review from Copilot July 5, 2026 08:43
Co-Authored-By: AJ Steers <aj@airbyte.io>
Copilot AI review requested due to automatic review settings July 5, 2026 08:57
@aaronsteers Aaron ("AJ") Steers (aaronsteers) removed the request for review from Copilot July 5, 2026 08:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant