From 2a2fc0c5e788d72e412f00f87c428a8129d3747f Mon Sep 17 00:00:00 2001 From: Alex Wilkerson John Date: Thu, 2 Jul 2026 16:19:53 -0400 Subject: [PATCH] ci: switch CodeQL to advanced setup with fixture path exclusions codeguard's test corpus contains deliberately vulnerable fixtures (testdata/, tests/corpus/**) that its own detection tests consume. CodeQL default setup was flagging those fixtures on every PR and Copilot Autofix suggested changes that would defang the corpus. Default setup does not support path exclusions, so this switches to an advanced-setup workflow whose config ignores the fixture paths. Same languages and weekly cadence as the default setup it replaces. Co-Authored-By: Claude Fable 5 --- .github/codeql/codeql-config.yml | 9 +++++ .github/workflows/codeql.yml | 56 ++++++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 .github/codeql/codeql-config.yml create mode 100644 .github/workflows/codeql.yml diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 0000000..54475fa --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,9 @@ +name: codeguard CodeQL config + +# codeguard's test suites detect vulnerabilities in deliberately vulnerable +# fixture files. Excluding those paths keeps CodeQL and Copilot Autofix from +# flagging the fixtures themselves (and suggesting "fixes" that would defang +# the detection corpus). +paths-ignore: + - "**/testdata/**" + - "tests/corpus/**" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..b66589e --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,56 @@ +name: CodeQL + +# Advanced CodeQL setup, replacing GitHub default setup. The advanced setup +# exists so .github/codeql/codeql-config.yml can exclude codeguard's +# deliberately vulnerable test fixtures (testdata/, tests/corpus/) — default +# setup does not support path exclusions. + +on: + push: + branches: + - main + - develop + pull_request: + branches: + - main + - develop + schedule: + # Weekly, matching the cadence default setup used. + - cron: "30 5 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + permissions: + security-events: write + packages: read + actions: read + contents: read + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + - language: go + build-mode: autobuild + - language: javascript-typescript + build-mode: none + steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + + - name: Initialize CodeQL + uses: github/codeql-action/init@e8e8e51caba890f74f97e228d00b0b81b666ee4c # v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + config-file: ./.github/codeql/codeql-config.yml + + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@e8e8e51caba890f74f97e228d00b0b81b666ee4c # v3 + with: + category: "/language:${{ matrix.language }}"