Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
42 commits
Select commit Hold shift + click to select a range
adb5b35
feat(codeql): add CodeQL enablement check as a dedicated extension
akiioto Jun 30, 2026
2eea6ef
fix(codeql): add repo_url to CodeqlFinding for better UI context
akiioto Jun 30, 2026
67e8afb
feat(codeql): add CodeqlFindingSelector to findings.py
akiioto Jun 30, 2026
88d7d8a
feat(codeql): register CodeQL service in artefact-enumerator
akiioto Jun 30, 2026
0ec5589
feat(codeql): add settings_url and language to CodeqlFinding
akiioto Jun 30, 2026
dcf43ce
feat(codeql): add configurable language filter to CodeqlConfig
akiioto Jul 1, 2026
828605a
feat(codeql): per-language findings based on active CodeQL analyses
akiioto Jul 1, 2026
5058a66
fix(codeql): sort CODEQL entries alphabetically in enums and dataclasses
akiioto Jul 1, 2026
bd2707d
fix(codeql): make repo_url and language required, remove settings_url
akiioto Jul 2, 2026
522c5a5
feat(codeql): add _validate_codeql finding validation function
akiioto Jul 2, 2026
28f8d97
fix(codeql): remove fallbacks, use access.ref instead of access.branch
akiioto Jul 3, 2026
c31f615
fix(codeql): remove manual secret_factory wiring in main()
akiioto Jul 3, 2026
c7d8eef
refactor(codeql): move GitHub API helpers to github_util
akiioto Jul 3, 2026
bb92746
fix(codeql): remove unused rescoring_ruleset from findings_cfg.yaml
akiioto Jul 3, 2026
e0a5841
fix(codeql): handle repoUrl without scheme in _parse_github_coords
akiioto Jul 3, 2026
e09c4c1
fix(github_util): handle api.github.com URL format in find_token_for_…
akiioto Jul 3, 2026
365c4f5
fix(ghas): remove unused imports after moving helpers to github_util
akiioto Jul 7, 2026
34f0a4c
refactor(ghas): drop wrapper functions, call github_util directly
akiioto Jul 7, 2026
f7a9641
fix(codeql): use descriptive severity ids in findings_cfg
akiioto Jul 7, 2026
33a13a7
fix(codeql): align CodeqlConfig.languages docstring with actual behav…
akiioto Jul 7, 2026
4722c6c
refactor(codeql): move GithubAccess check into is_supported
akiioto Jul 7, 2026
bf8e460
fix(codeql): iterate paginated analyses directly without materialisin…
akiioto Jul 7, 2026
eb70e47
fix(codeql): fall back to default branch when OCM access has no ref
akiioto Jul 7, 2026
68e9326
fix(codeql): move json import to module level
akiioto Jul 7, 2026
0d2d53a
fix(codeql): log exception when environment field cannot be parsed
akiioto Jul 7, 2026
ad731fd
feat(codeql): auto-rescore stale findings when CodeQL is enabled
akiioto Jul 7, 2026
c8e64ba
feat(codeql): add Helm chart and values documentation
akiioto Jul 8, 2026
c74b893
fix(codeql): expand CodeQL language aliases when building active_lang…
akiioto Jul 10, 2026
1fdbf25
fix(ghas): restore util import accidentally removed in cleanup
akiioto Jul 10, 2026
ec1260a
fix(codeql): make languages a required field in CodeqlConfig
akiioto Jul 10, 2026
e728ff4
feat(codeql): add finding/codeql to default profile
akiioto Jul 10, 2026
3eac408
feat(codeql): add codeql entry to charts/extensions/values.yaml
akiioto Jul 10, 2026
fdf6931
docs(codeql): clarify CodeQL language identifiers in values.documenta…
akiioto Jul 10, 2026
8d883a8
fix(codeql): document that languages uses GitHub names, not CodeQL id…
akiioto Jul 10, 2026
375b054
fix(codeql): fix ruff lint issues
akiioto Jul 10, 2026
490b53f
fix(codeql): gate stale rescoring on successful GitHub API lookup
akiioto Jul 15, 2026
20bad69
fix(codeql): add java-kotlin alias and align is_supported signature
akiioto Jul 15, 2026
e5bb00b
fix(codeql): treat non-dict /languages response as api_success=False
akiioto Jul 15, 2026
4d06010
fix(codeql): make existing_findings a required parameter
akiioto Jul 15, 2026
77742ce
fix(codeql): build new_keys iteratively from finding.data.key
akiioto Jul 15, 2026
dc1c7ed
fix(codeql, sast): fix mutable default creation_timestamp evaluated a…
akiioto Jul 15, 2026
29b723e
fix(codeql): fix docstring syntax and use is not None in is_supported
akiioto Jul 15, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 37 additions & 0 deletions charts/bootstrapping/values.documentation.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -516,6 +516,41 @@ extensions_cfg:
# - warning: skip processing and log a warning message (default)
on_unsupported: warning

# @param extensions_cfg.codeql worker which checks whether GitHub Advanced Security CodeQL is
# enabled for each OCM source artefact and creates findings for languages that are configured but
# not actively scanned
Comment on lines +519 to +521

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and creates findings for languages that are configured but not actively scanned

are there also other cases where the extension creates findings, e.g. if codeql is not enabled at all?

codeql:
# @param extensions_cfg.codeql.enabled allows disabling of extension without removing its
# configuration
enabled: true
# @param extensions_cfg.codeql.delivery_service_url url to access the delivery-service (cluster
# internal url is sufficient)
# e.g.
# delivery_service_url: http://delivery-service.<namespace>.svc.cluster.local:8080
delivery_service_url: ""
# @param extensions_cfg.codeql.interval time (in seconds) after which a component should be
# re-checked the latest
interval: 86400 # 24h
# @param extensions_cfg.codeql.languages list of programming languages to check CodeQL coverage
# for. A finding is emitted for each language that is present in the repository but not actively
# scanned by CodeQL. Use the language names as returned by the GitHub repository languages API

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please add a link to github-api docs to make it easier for consumers to check allowed values

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A finding is emitted for each language that is present in the repository but not actively scanned by CodeQL

why do we need an explicit user-managed list of relevant languages at all?
the repository scanning identifies used languages, does CodeQL require language specific configuration?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The languages config list exists because CodeQL does not support all programming languages. For example, a repository may contain YAML, Dockerfile, or Shell - all of which would appear in the GitHub /languages response - but CodeQL cannot analyse them. Without an explicit list, the extension would have to either hardcode the set of CodeQL-supported languages.

Instead, operators configure the languages their organisation requires SAST coverage for once, e.g.:

  languages:
    - go
    - python
    - java

The extension then only creates findings for those languages. The /languages API is used purely as a filter to avoid false positives - if a configured language (e.g. go) is not actually present in the repository, no finding is created.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

from end-user perspective, wouldn't I by default rather want to have all CodeQL findings and optionally exclude languages?

I am afraid that with the current approach someone performs a one time assessment of used languages, configures them for the entire extension, and repository adapting new languages will not be covered.

wdyt?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm, actually excluding those languages make a lot of sense. good catch, i'll adjust the code.

# (e.g. 'go', 'python', 'javascript'). The extension automatically handles CodeQL-specific
# language identifiers (e.g. maps 'javascript-typescript' back to 'javascript').
# e.g.
# languages:
# - go
# - python
# - javascript
languages:
- ""
# @param extensions_cfg.codeql.on_unsupported behaviour in case the detected artefact
# kind/type/access is not supported
# options:
# - fail: raise an exception
# - ignore: skip processing
# - warning: skip processing and log a warning message (default)
on_unsupported: warning

# @param extensions_cfg.issue_replicator worker which takes care of the GitHub issue lifecycle for
# detected findings
issue_replicator:
Expand Down Expand Up @@ -1163,6 +1198,7 @@ features_cfg:
findings:
# @param findings[].type type of finding this configuration is used for
# options:
# - finding/codeql
# - finding/crypto
# - finding/diki
# - finding/falco
Expand Down Expand Up @@ -1543,6 +1579,7 @@ profiles:
# @param profiles[].finding_types list of finding types which should be displayed for users who
# selected this profile in the delivery-dashboard
# options:
# - finding/codeql
# - finding/crypto
# - finding/diki
# - finding/falco
Expand Down
3 changes: 3 additions & 0 deletions charts/extensions/Chart.yaml
Comment thread
8R0WNI3 marked this conversation as resolved.
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@ dependencies:
- name: ghas
repository: file://charts/ghas
condition: ghas.enabled
- name: codeql
repository: file://charts/codeql
condition: codeql.enabled
- name: issue-replicator
repository: file://charts/issue-replicator
condition: issue-replicator.enabled
Expand Down
3 changes: 3 additions & 0 deletions charts/extensions/charts/codeql/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
apiVersion: v2
name: codeql
version: 0.1.0
111 changes: 111 additions & 0 deletions charts/extensions/charts/codeql/templates/codeql.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
{{- $podName := "codeql" }}

apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $podName }}
namespace: {{ .Values.target_namespace | default .Release.Namespace }}
{{- if default dict (.Values.deployment).annotations }}
annotations:
{{- range $annotation, $value := .Values.deployment.annotations }}
{{ $annotation }}: {{ $value }}
{{- end }}
{{- end }}
spec:
replicas: 0 # will be scaled automatically by backlog-controller
selector:
matchLabels:
app: {{ $podName }}
delivery-gear.gardener.cloud/service: codeql
template:
metadata:
labels:
app: {{ $podName }}
delivery-gear.gardener.cloud/service: codeql
spec:
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app: {{ $podName }}
terminationGracePeriodSeconds: 300 # 5 min
containers:
- name: {{ $podName }}
image: {{ include "image" .Values.global.image }}
imagePullPolicy: IfNotPresent
command:
- python3
- -m
- codeql
securityContext:
allowPrivilegeEscalation: false
env:
- name: SECRET_FACTORY_PATH
value: /secrets
- name: EXTENSIONS_CFG_PATH
value: /extensions_cfg/extensions_cfg
- name: FINDINGS_CFG_PATH
value: /findings_cfg/findings_cfg
- name: OCM_REPO_MAPPINGS_PATH
value: /ocm_repo_mappings/ocm_repo_mappings
- name: K8S_TARGET_NAMESPACE
value: {{ .Values.target_namespace | default .Release.Namespace }}
volumeMounts:
- name: github
mountPath: /secrets/github
- name: github-app
mountPath: /secrets/github-app
- name: extensions-cfg
mountPath: /extensions_cfg
- name: findings-cfg
mountPath: /findings_cfg
- name: ocm-repo-mappings
mountPath: /ocm_repo_mappings
readOnly: true
lifecycle:
preStop:
exec:
command:
- sleep
- "60"
resources:
requests:
memory: 100Mi
cpu: 250m
limits:
memory: 300Mi
cpu: 500m
volumes:
- name: github
secret:
secretName: secret-factory-github
optional: true
- name: github-app
secret:
secretName: secret-factory-github-app
optional: true
- name: extensions-cfg
configMap:
name: extensions-cfg
- name: findings-cfg
configMap:
name: findings-cfg
- name: ocm-repo-mappings
configMap:
name: ocm-repo-mappings
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-from-codeql
namespace: {{ .Values.target_namespace | default .Release.Namespace }}
spec:
podSelector:
matchLabels:
app: {{ $podName }}
policyTypes:
- Egress
egress:
- {} # Allows all egress traffic to any destination and port
4 changes: 4 additions & 0 deletions charts/extensions/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,10 @@ clamav:
deployment:
annotations: []
enabled: false
codeql:
deployment:
annotations: []
enabled: false
crypto:
deployment:
annotations: []
Expand Down
17 changes: 17 additions & 0 deletions src/artefact_enumerator.py
Original file line number Diff line number Diff line change
Expand Up @@ -381,6 +381,23 @@ def _process_compliance_snapshot_of_artefact(
if uncommitted_backlog_item:
uncommitted_backlog_items.append(uncommitted_backlog_item)

if (
extensions_cfg.codeql
and extensions_cfg.codeql.enabled
and extensions_cfg.codeql.is_supported(artefact_kind=artefact.artefact_kind)
):
compliance_snapshot, uncommitted_backlog_item = _create_backlog_item_for_extension(
finding_cfgs=finding_cfgs,
finding_types=(odg.model.Datatype.CODEQL_FINDING,),
artefact=artefact,
compliance_snapshot=compliance_snapshot,
service=odg.extensions_cfg.Services.CODEQL,
interval_seconds=extensions_cfg.codeql.interval,
now=now,
)
if uncommitted_backlog_item:
uncommitted_backlog_items.append(uncommitted_backlog_item)

if (
extensions_cfg.osid
and extensions_cfg.osid.enabled
Expand Down
Loading
Loading