Commit b72f12d
chore: security audit cleanup — CodeQL, workflow permissions, dependency overrides (#2884)
## Summary
Addresses all 65 open GitHub security alerts (49 code scanning + 16
Dependabot) identified during a full security audit. None represent real
risk to end users — see #2883 for the complete investigation.
- **Switch CodeQL to advanced setup** with path exclusions for test
fixtures and spec/dummy apps (eliminates 14 false-positive code scanning
alerts from build artifacts and test infrastructure)
- **Add `permissions: { contents: read }`** to all 14 CI workflows that
lacked a top-level permissions block (resolves 22 code scanning alerts,
follows GitHub's principle of least privilege)
- **Generate pnpm overrides** via `pnpm audit --fix` for 28 transitive
dependency vulnerabilities (all dev-only, reduces npm audit from 38 to 8
— remaining are unfixable or pnpm edge cases)
- **Update loofah** 2.25.0 → 2.25.1 across 4 Gemfile.lock files (URI
detection fix)
Additionally, 13 code scanning false positives were dismissed via API
with documented reasons (by-design VM execution, internal service
architecture, non-vulnerable regex patterns). See #2883 for each
dismissal rationale.
## Post-merge admin action
After merging, disable the "Default setup" CodeQL scanner in Settings >
Code security > Code scanning. The new advanced setup workflow replaces
it — if both run, the default scanner ignores path exclusions.
## Test plan
- [ ] CI passes on all existing workflows (the permissions change is
additive and non-breaking)
- [ ] CodeQL workflow runs successfully on this PR (new workflow)
- [ ] After merge + default CodeQL disabled: code scanning alerts drop
to ~0
- [ ] After merge: Dependabot detects lockfile changes and auto-closes
resolved alerts
Closes #2883
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
- Restrict CI workflow permissions to read-only access for repository
contents.
- Add a scheduled automated CodeQL security scan covering
JavaScript/TypeScript and Ruby.
- Exclude test fixture and dummy application directories from automated
security analysis.
- Expand package manager override rules to pin/remap many transitive
dependency versions for more consistent installs.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>1 parent 0ccbe3a commit b72f12d
22 files changed
Lines changed: 326 additions & 208 deletions
File tree
- .github
- codeql
- workflows
- react_on_rails_pro
- spec
- dummy
- execjs-compatible-dummy
- react_on_rails
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
3 | 6 | | |
4 | 7 | | |
5 | 8 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
3 | 6 | | |
4 | 7 | | |
5 | 8 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
3 | 6 | | |
4 | 7 | | |
5 | 8 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
3 | 6 | | |
4 | 7 | | |
5 | 8 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
3 | 6 | | |
4 | 7 | | |
5 | 8 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
3 | 6 | | |
4 | 7 | | |
5 | 8 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
3 | 6 | | |
4 | 7 | | |
5 | 8 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
3 | 6 | | |
4 | 7 | | |
5 | 8 | | |
| |||
0 commit comments