|
1 | 1 | # CodeQL Workflow Configuration |
2 | 2 |
|
3 | | -## Current State: Dual CodeQL Setup |
4 | | - |
5 | | -This repository currently has **two CodeQL analysis configurations** running: |
6 | | - |
7 | | -### 1. Custom CodeQL Workflow (`.github/workflows/codeql.yml`) |
8 | | -- **Location**: `.github/workflows/codeql.yml` |
9 | | -- **Status**: Active, but results NOT uploaded to GitHub Security |
10 | | -- **Configuration**: Custom setup with advanced features |
11 | | -- **Languages**: C# and JavaScript/TypeScript (matrix strategy) |
12 | | -- **Custom Config**: `.github/codeql/codeql-config.yml` (path filtering) |
13 | | -- **Upload Setting**: `upload: false` (to avoid conflicts with default setup) |
14 | | - |
15 | | -### 2. GitHub Default Setup |
16 | | -- **Location**: Enabled in repository settings (no visible file) |
17 | | -- **Status**: Active (inferred from workflow comments) |
18 | | -- **Configuration**: GitHub-managed default |
19 | | -- **Languages**: Auto-detected |
20 | | -- **Results**: Uploaded to GitHub Security tab |
21 | | - |
22 | | -## Why This Exists |
23 | | - |
24 | | -The comment in `codeql.yml` lines 78-80 states: |
25 | | -```yaml |
26 | | -# Prevent workflow failure when GitHub "default setup" code scanning is enabled. |
27 | | -# If you want advanced results uploaded, disable default setup or set upload: true. |
28 | | -upload: false |
| 3 | +Melodee uses one version-controlled CodeQL advanced setup. The workflow in |
| 4 | +`.github/workflows/codeql.yml` uploads results for every supported application |
| 5 | +language to GitHub code scanning. |
| 6 | + |
| 7 | +## Scanning Coverage |
| 8 | + |
| 9 | +The workflow runs for pushes and pull requests targeting `main`, every Sunday |
| 10 | +at 00:00 UTC, and on manual dispatch. Its matrix analyzes: |
| 11 | + |
| 12 | +- GitHub Actions workflows using the interpreted `none` build mode. |
| 13 | +- C# using `autobuild`, so CodeQL observes the compiled solution. |
| 14 | +- JavaScript and TypeScript using the interpreted `none` build mode. |
| 15 | +- Python using the interpreted `none` build mode and its local threat model. |
| 16 | + |
| 17 | +The shared configuration in `.github/codeql/codeql-config.yml` excludes |
| 18 | +documentation, tests, benchmarks, and vendored minified JavaScript from |
| 19 | +interpreted-language analysis. C#, JavaScript/TypeScript, and Actions use the |
| 20 | +default remote threat model. Python uses |
| 21 | +`.github/codeql/codeql-python-config.yml`, which extends the default model with |
| 22 | +local files, command-line arguments, environment variables, and other local |
| 23 | +sources used by maintenance scripts. Neither configuration excludes C# |
| 24 | +findings by rule. |
| 25 | + |
| 26 | +This split is deliberate. The compiled web application has a remote request |
| 27 | +boundary, and treating all application-owned database and filesystem state as |
| 28 | +attacker-controlled creates unactionable C# flows. Python maintenance tools |
| 29 | +really do accept local files, environment variables, and command-line values |
| 30 | +from an administrator, so the local threat model accurately represents their |
| 31 | +trust boundary. Do not enable `threat-models: local` globally to make the two |
| 32 | +very different execution models look uniform. |
| 33 | + |
| 34 | +The local models are intentionally narrow. They identify |
| 35 | +`LogSanitizer.Sanitize` as a barrier only for the `log-injection` flow kind and |
| 36 | +`ConfigurationLogRedactor.RedactValue` as a barrier only when values would be |
| 37 | +persisted to an external location such as a log. They are packaged under |
| 38 | +`.github/codeql/extensions/log-sanitizer` so advanced and default setup can |
| 39 | +discover them. The `.yml` suffix is intentional because the pack manifest only |
| 40 | +loads model files matching `models/**/*.yml`. |
| 41 | +Repository-wide query exclusions must not be added to hide a false positive. |
| 42 | +Prefer a source fix or a precise CodeQL model; dismiss an individual alert only |
| 43 | +when neither option accurately represents the behavior. |
| 44 | + |
| 45 | +All workflow actions are pinned to verified full commit SHAs. Keep the release |
| 46 | +comments beside those SHAs when updating the pins so reviews can identify the |
| 47 | +corresponding upstream release. |
| 48 | + |
| 49 | +## Required Repository Configuration |
| 50 | + |
| 51 | +GitHub default setup must remain disabled while this advanced workflow is |
| 52 | +active. Enabling both configurations can disable advanced uploads, duplicate |
| 53 | +work, and leave alert status attached to a configuration that no longer runs. |
| 54 | + |
| 55 | +To verify the setting: |
| 56 | + |
| 57 | +1. Open the repository settings and select **Advanced Security** or |
| 58 | + **Code security and analysis**. |
| 59 | +2. Find **CodeQL analysis** under code scanning. |
| 60 | +3. Confirm default setup is disabled and the checked-in advanced workflow is |
| 61 | + enabled. |
| 62 | + |
| 63 | +The REST API reports the same state through: |
| 64 | + |
| 65 | +```shell |
| 66 | +gh api repos/melodee-project/melodee/code-scanning/default-setup |
29 | 67 | ``` |
30 | 68 |
|
31 | | -This indicates that both setups were running, causing conflicts. The custom workflow was modified to NOT upload results to avoid workflow failures. |
32 | | -
|
33 | | -## Problem |
34 | | -
|
35 | | -Having two CodeQL setups is inefficient and confusing: |
36 | | -- ❌ Duplicate analysis runs (wastes CI/CD minutes) |
37 | | -- ❌ Custom workflow results not visible in Security tab |
38 | | -- ❌ Configuration spread across multiple systems |
39 | | -- ❌ Unclear which analysis results are authoritative |
40 | | -
|
41 | | -## Recommended Solution: Keep Custom Workflow |
42 | | -
|
43 | | -**Advantages of the custom workflow:** |
44 | | -1. ✅ **Path filtering** - Excludes docs, vendored JS, benchmarks (via `codeql-config.yml`) |
45 | | -2. ✅ **Explicit language control** - C# and JavaScript/TypeScript |
46 | | -3. ✅ **Version control** - Configuration tracked in Git |
47 | | -4. ✅ **Transparency** - Visible in repository, reviewable in PRs |
48 | | -5. ✅ **Flexibility** - Can add custom queries, modify triggers, adjust timeout |
49 | | -6. ✅ **Already proven** - Working configuration with comprehensive security audit |
50 | | - |
51 | | -**Steps to migrate:** |
52 | | - |
53 | | -### Step 1: Disable GitHub Default Setup |
54 | | -1. Go to repository **Settings** → **Code security and analysis** |
55 | | -2. Find **Code scanning** section |
56 | | -3. Locate **CodeQL analysis** → **Default setup** |
57 | | -4. Click **Disable** or switch to **Advanced** |
58 | | - |
59 | | -> **Note**: You must have admin access to the repository to change these settings. |
60 | | - |
61 | | -### Step 2: Enable Uploads in Custom Workflow |
62 | | -Update `.github/workflows/codeql.yml` line 78-82 to: |
63 | | - |
64 | | -```yaml |
65 | | -- name: Perform CodeQL Analysis |
66 | | - uses: github/codeql-action/analyze@v4 |
67 | | - with: |
68 | | - category: "/language:${{ matrix.language }}" |
69 | | - # Upload results to GitHub Security tab |
70 | | - # Default setup has been disabled in repository settings |
71 | | - upload: true |
72 | | -``` |
73 | | - |
74 | | -Remove these lines (they're now unnecessary): |
75 | | -- `upload-database: false` |
76 | | -- `wait-for-processing: false` |
77 | | - |
78 | | -### Step 3: Verify Configuration |
79 | | -1. Commit and push the workflow changes |
80 | | -2. Trigger a workflow run (push to main or create PR) |
81 | | -3. Check **Security** tab → **Code scanning** for results |
82 | | -4. Verify both C# and JavaScript/TypeScript results appear |
83 | | - |
84 | | -## Alternative Solution: Use Default Setup Only |
85 | | - |
86 | | -If you prefer GitHub's managed solution: |
87 | | - |
88 | | -### Step 1: Delete Custom Workflow |
89 | | -```bash |
90 | | -git rm .github/workflows/codeql.yml |
91 | | -git rm .github/codeql/codeql-config.yml # optional, if not needed |
| 69 | +The expected `state` is `not-configured`. |
| 70 | + |
| 71 | +## Removing a Stale Configuration |
| 72 | + |
| 73 | +An alert can remain open after its code is fixed when it belongs to an older |
| 74 | +configuration that no longer runs. Adding the language to this workflow does |
| 75 | +not update the stale configuration's result. |
| 76 | + |
| 77 | +After the advanced workflow has completed successfully on `main`: |
| 78 | + |
| 79 | +1. Open **Security and quality** > **Code scanning**. |
| 80 | +2. Open **Tool status**, or open the alert and inspect **Affected branches** > |
| 81 | + **Configurations analyzing** for `main`. |
| 82 | +3. Retain `.github/workflows/codeql.yml:analyze` for each matrix language. |
| 83 | +4. Delete the stale `dynamic/github-code-scanning/codeql:analyze` and |
| 84 | + `dynamic/github-code-scanning/codeql:upload` configurations left by the |
| 85 | + former default setup. Retain every checked-in workflow configuration. |
| 86 | +5. Re-run the CodeQL workflow if an active configuration was removed by |
| 87 | + mistake. |
| 88 | + |
| 89 | +This administrative cleanup is required for findings that exist only in the |
| 90 | +former default-setup configuration; a repository commit cannot delete that |
| 91 | +server-side configuration. |
| 92 | + |
| 93 | +The stale Python configurations must not be removed before the checked-in |
| 94 | +Python matrix job succeeds on `main`. Otherwise, the repository can temporarily |
| 95 | +lose active Python coverage rather than transferring it to the advanced |
| 96 | +workflow. |
| 97 | + |
| 98 | +## Verification |
| 99 | + |
| 100 | +The July 2026 local verification reports: |
| 101 | + |
| 102 | +- the six original C# alerts have source fixes and regression coverage, while |
| 103 | + the Python setup alert has a hardened necessary sink and narrow documented |
| 104 | + suppression; |
| 105 | +- a fresh default-remote C# database moved from eight findings to zero; |
| 106 | +- fresh GitHub Actions and JavaScript/TypeScript databases report zero |
| 107 | + findings; |
| 108 | +- a fresh workflow-equivalent Python database ran all 45 default queries with |
| 109 | + the local threat model and reported zero findings and no SARIF warning/error |
| 110 | + notifications; and |
| 111 | +- the 52-query Python security-extended suite also reported zero findings. |
| 112 | + |
| 113 | +The Python filesystem audit passes 57 focused tests, and all 109 script tests |
| 114 | +pass with `ResourceWarning` promoted to an error. These complete-suite results, |
| 115 | +not an earlier targeted-query result, form the local release gate. |
| 116 | + |
| 117 | +After changing the workflow or CodeQL configuration: |
| 118 | + |
| 119 | +1. Validate `.github/workflows/codeql.yml` with `actionlint`. |
| 120 | +2. Run the workflow manually, or push the change to a branch with a pull |
| 121 | + request targeting `main`. |
| 122 | +3. Confirm all four matrix jobs complete and upload results. |
| 123 | +4. On **Security and quality** > **Code scanning** > **Tool status**, confirm |
| 124 | + recent GitHub Actions, C#, JavaScript/TypeScript, and Python analyses are |
| 125 | + present. |
| 126 | +5. Review new alerts before merging; do not dismiss them solely to make the |
| 127 | + check pass. |
| 128 | + |
| 129 | +Useful command-line checks: |
| 130 | + |
| 131 | +```shell |
| 132 | +gh run list --workflow codeql.yml --limit 10 |
| 133 | +gh api --paginate \ |
| 134 | + 'repos/melodee-project/melodee/code-scanning/alerts?state=open&tool_name=CodeQL&per_page=100' |
92 | 135 | ``` |
93 | 136 |
|
94 | | -### Step 2: Ensure Default Setup is Enabled |
95 | | -1. Repository **Settings** → **Code security and analysis** |
96 | | -2. Ensure **CodeQL analysis** is set to **Default setup** |
97 | | - |
98 | | -**Trade-offs:** |
99 | | -- ✅ Simpler configuration |
100 | | -- ✅ GitHub manages updates |
101 | | -- ❌ Less control over paths analyzed |
102 | | -- ❌ Cannot customize queries easily |
103 | | -- ❌ Configuration not in version control |
104 | | - |
105 | | -## Current Recommendation |
106 | | - |
107 | | -**Keep the custom workflow** because: |
108 | | -1. It already has proven security analysis (see `CODEQL-ANALYSIS.md`) |
109 | | -2. Path filtering reduces noise from docs and vendored code |
110 | | -3. Configuration is version-controlled and reviewable |
111 | | -4. Team has already invested in customizing it |
112 | | - |
113 | | -The only change needed is to **disable GitHub default setup** and **enable uploads** in the custom workflow. |
114 | | - |
115 | | -## Migration Checklist |
116 | | - |
117 | | -- [ ] 1. Disable GitHub default setup in repository settings |
118 | | -- [ ] 2. Update `codeql.yml` to set `upload: true` |
119 | | -- [ ] 3. Remove `upload-database: false` and `wait-for-processing: false` |
120 | | -- [ ] 4. Update comments in workflow file |
121 | | -- [ ] 5. Commit and push changes |
122 | | -- [ ] 6. Verify workflow runs successfully |
123 | | -- [ ] 7. Check Security tab for CodeQL results |
124 | | -- [ ] 8. Update `CODEQL-ANALYSIS.md` if needed |
125 | | - |
126 | 137 | ## References |
127 | 138 |
|
128 | | -- [GitHub CodeQL Documentation](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql) |
129 | | -- [Configuring Code Scanning](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning) |
130 | | -- [CodeQL Action Documentation](https://github.com/github/codeql-action) |
131 | | -- Project: [CODEQL-ANALYSIS.md](../CODEQL-ANALYSIS.md) - Security audit results |
132 | | -- Project: [SECURITY-FIXES.md](../SECURITY-FIXES.md) - Security improvements |
133 | | - |
134 | | -## Questions? |
135 | | - |
136 | | -If you have questions about this configuration, please open an issue or contact the maintainers. |
| 139 | +- [Workflow configuration options for code scanning](https://docs.github.com/en/code-security/reference/code-scanning/workflow-configuration-options) |
| 140 | +- [CodeQL for compiled languages](https://docs.github.com/en/code-security/how-tos/find-and-fix-code-vulnerabilities/manage-your-configuration/codeql-for-compiled-languages) |
| 141 | +- [Resolving code scanning alerts](https://docs.github.com/en/code-security/how-tos/manage-security-alerts/manage-code-scanning-alerts/resolve-alerts) |
| 142 | +- [Secure use of GitHub Actions](https://docs.github.com/en/actions/reference/security/secure-use) |
| 143 | +- [Customizing CodeQL library models for C#](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-csharp/) |
0 commit comments