Skip to content

Sph.2026 07 11.01#76

Merged
sphildreth merged 3 commits into
mainfrom
sph.2026-07-11.01
Jul 12, 2026
Merged

Sph.2026 07 11.01#76
sphildreth merged 3 commits into
mainfrom
sph.2026-07-11.01

Conversation

@sphildreth

Copy link
Copy Markdown
Collaborator

This pull request refactors and enhances the CodeQL security scanning configuration for the repository. It consolidates to a single advanced, version-controlled CodeQL workflow that covers all supported languages, introduces a more precise threat model for Python, and improves the maintainability and accuracy of custom sanitizer models. Documentation is updated to guide repository admins through setup, migration, and verification. Unused or redundant files are removed, and all workflow actions are pinned to specific commit SHAs for security.

CodeQL Workflow and Configuration Modernization

  • The .github/workflows/codeql.yml workflow is now the sole, authoritative CodeQL configuration. It runs on pushes, pull requests, a weekly schedule, and manual dispatch, covering Actions, C#, JavaScript/TypeScript, and Python, each with appropriate build and threat models. All actions are pinned to full commit SHAs for security.
  • The configuration files .github/codeql/codeql-config.yml and the new .github/codeql/codeql-python-config.yml define precise path exclusions and threat models: default-remote for C#/JS/TS/Actions, local for Python scripts, with clear documentation and no repository-wide rule exclusions for C#. [1] [2]

Custom CodeQL Models and Extensions

  • The sanitizer model for LogSanitizer and ConfigurationLogRedactor is now defined as a CodeQL pack in .github/codeql/extensions/log-sanitizer, using the correct barrierModel extensible and a pack manifest for discoverability by both advanced and default setups. [1] [2] [3]

Documentation and Migration Guidance

  • .github/CODEQL-WORKFLOW.md is rewritten to document the new workflow, explain the rationale for the split threat model, provide migration and verification steps, and clarify how to handle stale configurations and findings.

Cleanup

  • The unused .github/docker/Dockerfile.container-scan is deleted, reflecting the removal of an obsolete or redundant container scanning setup.

Security and Maintenance

  • All workflow and action references (including Docker metadata extraction) are pinned to verified commit SHAs, with release comments to facilitate future updates and reviews. [1] [2]

These changes ensure accurate, maintainable, and secure CodeQL analysis for all supported languages, with clear documentation and a robust migration path.

- Introduced comprehensive tests for `GitHubClient` to validate API origin enforcement and token security.
- Expanded `CleanupPathGuard` functionality with safe quarantine handling, isolated directory decisions, and secure mutation verification.
- Added several helper methods to improve directory traversal reliability and secure file operations.
Copilot AI review requested due to automatic review settings July 12, 2026 03:33

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review this pull request because it exceeds the maximum number of lines (20,000). Try reducing the number of changed lines and requesting a review from Copilot again.

@github-advanced-security

Copy link
Copy Markdown
Contributor

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@sphildreth sphildreth merged commit 82f2d53 into main Jul 12, 2026
15 checks passed
@sphildreth sphildreth deleted the sph.2026-07-11.01 branch July 12, 2026 03:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants