ci: add CodeQL analysis for Python and GitHub Actions#1065
ci: add CodeQL analysis for Python and GitHub Actions#1065Aaron ("AJ") Steers (aaronsteers) wants to merge 6 commits into
Conversation
Enables CodeQL security scanning with the 'actions' language analyzer, which detects script injection, missing permissions, untrusted checkout, and other GitHub Actions security issues. Also includes Python analysis for code-level security findings. Co-Authored-By: AJ Steers <aj@airbyte.io>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
👋 Greetings, Airbyte Team Member!Here are some helpful tips and reminders for your convenience. 💡 Show Tips and TricksTesting This CDK VersionYou can test this version of the CDK using the following: # Run the CLI from this branch:
uvx 'git+https://github.com/airbytehq/airbyte-python-cdk.git@devin/1783103098-add-codeql-actions#egg=airbyte-python-cdk[dev]' --help
# Update a connector to use the CDK from this branch ref:
cd airbyte-integrations/connectors/source-example
poe use-cdk-branch devin/1783103098-add-codeql-actionsPR Slash CommandsAirbyte Maintainers can execute the following slash commands on your PR:
|
|
Warning Review limit reached
Next review available in: 41 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThis PR adds a new GitHub Actions workflow, "CodeQL", triggered on pushes to main, pull requests to main, and a weekly cron. It runs a matrix analysis over python and actions languages using github/codeql-action init and analyze steps with security-and-quality queries. ChangesCodeQL Workflow Setup
Estimated code review effort: 1 (Trivial) | ~5 minutes Related issues: None referenced in the provided context. Related PRs: None referenced in the provided context. Suggested labels: ci, github-actions, security Suggested reviewers: Could a maintainer familiar with the CI/CD setup take a look at the matrix languages and timeout value — do they seem right for this repo's size, wdyt? 🐰 A poem for the occasionA rabbit hops through workflows new, 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/codeql.yml (1)
30-30: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winConsider pinning actions to a commit SHA instead of a mutable tag?
actions/checkout@v4,github/codeql-action/init@v3, andanalyze@v3are all referenced by mutable major-version tags. For a security-scanning workflow in particular, pinning to a full commit SHA (with a version comment) hardens against tag-repointing supply-chain attacks. wdyt?Also applies to: 33-33, 39-39
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/codeql.yml at line 30, The workflow currently uses mutable action tags for actions/checkout, github/codeql-action/init, and github/codeql-action/analyze, which should be hardened by pinning each action to a full commit SHA. Update the CodeQL workflow entries to reference immutable SHAs and keep the existing version comments for readability. Use the action identifiers checkout, init, and analyze in the workflow to locate and replace the tagged references consistently.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/codeql.yml:
- Around line 29-30: The checkout step in the workflow currently uses
actions/checkout@v4 with default credential persistence, which can leave the
GitHub token in the local git config. Update the existing Checkout repository
step to disable persisted credentials by setting persist-credentials to false on
actions/checkout@v4, since the workflow does not need to reuse the token after
checkout.
---
Nitpick comments:
In @.github/workflows/codeql.yml:
- Line 30: The workflow currently uses mutable action tags for actions/checkout,
github/codeql-action/init, and github/codeql-action/analyze, which should be
hardened by pinning each action to a full commit SHA. Update the CodeQL workflow
entries to reference immutable SHAs and keep the existing version comments for
readability. Use the action identifiers checkout, init, and analyze in the
workflow to locate and replace the tagged references consistently.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 6456465f-2e7e-4329-b30f-8b260f54826e
📒 Files selected for processing (1)
.github/workflows/codeql.yml
Co-Authored-By: AJ Steers <aj@airbyte.io>
Co-Authored-By: AJ Steers <aj@airbyte.io>
Co-Authored-By: AJ Steers <aj@airbyte.io>
Co-Authored-By: AJ Steers <aj@airbyte.io>
Co-Authored-By: AJ Steers <aj@airbyte.io>
Summary
Adds CodeQL security scanning with both
pythonandactionslanguage analyzers using thesecurity-and-qualityquery suite.The
actionsanalyzer detects GitHub Actions-specific vulnerabilities like script injection (actions/dangerous-action-command), missing permissions blocks, and untrusted checkout — the same class of vulnerability we just fixed in #1064. Having this enabled would have caught that issue automatically.Runs on push/PR to
mainand weekly on Monday.Link to Devin session: https://app.devin.ai/sessions/fe5d63b3474f4fe6990b6f8f7a47f8ed
Requested by: Aaron ("AJ") Steers (@aaronsteers)
Summary by CodeRabbit