Skip to content

ci: switch CodeQL to advanced setup so fixture paths can be excluded#28

Merged
alxxjohn merged 1 commit into
mainfrom
ci/codeql-advanced-setup
Jul 2, 2026
Merged

ci: switch CodeQL to advanced setup so fixture paths can be excluded#28
alxxjohn merged 1 commit into
mainfrom
ci/codeql-advanced-setup

Conversation

@alxxjohn

@alxxjohn alxxjohn commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

CodeQL default setup (and the code-quality bot) have been flagging codeguard's deliberately vulnerable test fixtures on PRs — **/testdata/** (e.g. adversarial.ts, html_sink_adversarial.ts) and tests/corpus/**/vulnerable/** — with Copilot Autofix suggesting changes (e.g. replacing document.write) that would defang the detection corpus the scanner's own tests depend on (tests/checks/typescript_treesitter_test.go, internal/codeguard/checks/support/treesitter/treesitter_test.go).

Default setup does not support path exclusions, so this PR switches the repo to an advanced-setup CodeQL workflow:

  • .github/workflows/codeql.yml — same languages (actions, go, javascript-typescript) and weekly cadence as the default setup it replaces; actions pinned by SHA to match repo convention.
  • .github/codeql/codeql-config.ymlpaths-ignore for **/testdata/** and tests/corpus/**.

Default setup has been disabled on the repo so the advanced workflow's uploads are accepted (they conflict otherwise).

Note: the code-quality bot's comments are configured separately (repo Settings → Code quality) — this PR only covers CodeQL.

Test plan

  • Workflow + config YAML validated locally
  • Analyze (…) checks on this PR run via the new workflow and report no findings in fixture paths

🤖 Generated with Claude Code

codeguard's test corpus contains deliberately vulnerable fixtures
(testdata/, tests/corpus/**) that its own detection tests consume.
CodeQL default setup was flagging those fixtures on every PR and
Copilot Autofix suggested changes that would defang the corpus.
Default setup does not support path exclusions, so this switches to an
advanced-setup workflow whose config ignores the fixture paths. Same
languages and weekly cadence as the default setup it replaces.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@alxxjohn alxxjohn merged commit 43e2e10 into main Jul 2, 2026
16 checks passed
@alxxjohn alxxjohn deleted the ci/codeql-advanced-setup branch July 2, 2026 20:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant