Skip to content

Commit b72f12d

Browse files
ihabadhamclaude
andauthored
chore: security audit cleanup — CodeQL, workflow permissions, dependency overrides (#2884)
## Summary Addresses all 65 open GitHub security alerts (49 code scanning + 16 Dependabot) identified during a full security audit. None represent real risk to end users — see #2883 for the complete investigation. - **Switch CodeQL to advanced setup** with path exclusions for test fixtures and spec/dummy apps (eliminates 14 false-positive code scanning alerts from build artifacts and test infrastructure) - **Add `permissions: { contents: read }`** to all 14 CI workflows that lacked a top-level permissions block (resolves 22 code scanning alerts, follows GitHub's principle of least privilege) - **Generate pnpm overrides** via `pnpm audit --fix` for 28 transitive dependency vulnerabilities (all dev-only, reduces npm audit from 38 to 8 — remaining are unfixable or pnpm edge cases) - **Update loofah** 2.25.0 → 2.25.1 across 4 Gemfile.lock files (URI detection fix) Additionally, 13 code scanning false positives were dismissed via API with documented reasons (by-design VM execution, internal service architecture, non-vulnerable regex patterns). See #2883 for each dismissal rationale. ## Post-merge admin action After merging, disable the "Default setup" CodeQL scanner in Settings > Code security > Code scanning. The new advanced setup workflow replaces it — if both run, the default scanner ignores path exclusions. ## Test plan - [ ] CI passes on all existing workflows (the permissions change is additive and non-breaking) - [ ] CodeQL workflow runs successfully on this PR (new workflow) - [ ] After merge + default CodeQL disabled: code scanning alerts drop to ~0 - [ ] After merge: Dependabot detects lockfile changes and auto-closes resolved alerts Closes #2883 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** - Restrict CI workflow permissions to read-only access for repository contents. - Add a scheduled automated CodeQL security scan covering JavaScript/TypeScript and Ruby. - Exclude test fixture and dummy application directories from automated security analysis. - Expand package manager override rules to pin/remap many transitive dependency versions for more consistent installs. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 0ccbe3a commit b72f12d

22 files changed

Lines changed: 326 additions & 208 deletions

.github/codeql/codeql-config.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
# Excludes directories that generate false positives:
2+
# - tests/fixtures: pre-built webpack bundles checked in as test artifacts, not source code
3+
# - spec/dummy: Rails test apps used for integration testing, not production code
4+
5+
paths-ignore:
6+
- 'packages/react-on-rails-pro-node-renderer/tests/fixtures/**'
7+
- 'react_on_rails_pro/spec/dummy/**'
8+
- 'react_on_rails_pro/spec/execjs-compatible-dummy/**'
9+
- 'react_on_rails/spec/dummy/**'

.github/workflows/actionlint.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
name: Lint GitHub Actions
22

3+
permissions:
4+
contents: read
5+
36
on:
47
push:
58
branches:

.github/workflows/bundle-size.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
name: Bundle Size
22

3+
permissions:
4+
contents: read
5+
36
on:
47
pull_request:
58
paths:

.github/workflows/check-markdown-links.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
name: Check Markdown Links
22

3+
permissions:
4+
contents: read
5+
36
on:
47
push:
58
branches: [main]

.github/workflows/codeql.yml

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
name: CodeQL
2+
3+
on:
4+
push:
5+
branches: [main]
6+
pull_request:
7+
branches: [main]
8+
schedule:
9+
- cron: '0 6 * * 1' # Weekly Monday 6am UTC
10+
11+
jobs:
12+
analyze:
13+
name: Analyze
14+
runs-on: ubuntu-latest
15+
permissions:
16+
security-events: write
17+
contents: read
18+
actions: read
19+
strategy:
20+
fail-fast: false
21+
matrix:
22+
language: ['javascript-typescript', 'ruby']
23+
steps:
24+
- name: Checkout repository
25+
uses: actions/checkout@v4
26+
27+
- name: Initialize CodeQL
28+
uses: github/codeql-action/init@v4
29+
with:
30+
languages: ${{ matrix.language }}
31+
config-file: ./.github/codeql/codeql-config.yml
32+
33+
- name: Autobuild
34+
uses: github/codeql-action/autobuild@v4
35+
36+
- name: Perform CodeQL Analysis
37+
uses: github/codeql-action/analyze@v4
38+
with:
39+
category: '/language:${{ matrix.language }}'

.github/workflows/examples.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
name: Generator tests # TODO needs to be duplicated for RoR Pro
22

3+
permissions:
4+
contents: read
5+
36
on:
47
push:
58
branches:

.github/workflows/gem-tests.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
name: Rspec test for gem
22

3+
permissions:
4+
contents: read
5+
36
on:
47
push:
58
branches:

.github/workflows/integration-tests.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
name: Integration Tests
22

3+
permissions:
4+
contents: read
5+
36
on:
47
push:
58
branches:

.github/workflows/lint-js-and-ruby.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
name: Lint JS and Ruby
22

3+
permissions:
4+
contents: read
5+
36
on:
47
push:
58
branches:

.github/workflows/package-js-tests.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
name: JS unit tests for Renderer package
22

3+
permissions:
4+
contents: read
5+
36
on:
47
push:
58
branches:

0 commit comments

Comments
 (0)