ci(security): add CodeQL and OSV-Scanner workflows#302
Conversation
|
📝 WalkthroughWalkthroughAdds two GitHub Actions workflows: CodeQL analysis configured for Changes
Sequence Diagram(s)sequenceDiagram
participant Event as GitHub Event
participant Runner as Actions Runner
participant Repo as Repository
participant CodeQL as CodeQL Action
participant OSV as OSV Scanner
Event->>Runner: push/PR to main or weekly cron
Runner->>Repo: actions/checkout
Runner->>CodeQL: initialize (languages=javascript-typescript)
CodeQL->>Runner: autobuild/analyze
Runner->>OSV: call reusable google/osv-scanner-action (--recursive)
OSV->>Runner: run scan and report results
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (1)
.github/workflows/codeql.yml (1)
21-21: Same Blacksmith runner label — suppressing the actionlint false positive inactionlint.yaml(see comment inosv-scanner.yml) will fix both workflows.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/codeql.yml at line 21, The workflow uses the same Blacksmith runner label ("runs-on: blacksmith-4vcpu-ubuntu-2404") and is triggering a duplicate actionlint false positive; add a suppression for this workflow in the actionlint configuration (the same style used for osv-scanner.yml) so actionlint ignores the duplicate-runner warning for the .github/workflows/codeql.yml workflow. Update actionlint.yaml to include an entry that targets the codeql.yml workflow path and the duplicate-runner rule (matching the suppression format used for osv-scanner.yml) so the false positive is suppressed without changing the runs-on value.
🧹 Nitpick comments (1)
.github/workflows/codeql.yml (1)
23-27:fail-fast: falseis a no-op with a single-language matrix.With only
javascript-typescriptin the matrix,fail-fasthas no effect. It's harmless to keep for future-proofing if more languages are planned, but can be removed to keep the config tidy.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/codeql.yml around lines 23 - 27, The workflow contains a no-op "fail-fast: false" under the strategy block because the matrix only defines a single language ("javascript-typescript"); remove the "fail-fast: false" line from the strategy section in the codeql.yml to tidy the config (or alternatively keep it commented with a note if you intend to expand the matrix later), ensuring you edit the "strategy" / "matrix" -> "language" area where "javascript-typescript" is defined.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/osv-scanner.yml:
- Around line 27-31: Replace the direct action usage with the reusable workflow
so SARIF is uploaded: swap the job step that currently uses
"google/osv-scanner-action/osv-action@v2" (the "Run OSV-Scanner" step) to call
the reusable workflow
"google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml" and
ensure the input "scan-args" includes the target directory (e.g., "--recursive
./") so scanning behaves as documented; keep the step name "Run OSV-Scanner" and
the "scan-args" input key so the change is localized and clear.
---
Duplicate comments:
In @.github/workflows/codeql.yml:
- Line 21: The workflow uses the same Blacksmith runner label ("runs-on:
blacksmith-4vcpu-ubuntu-2404") and is triggering a duplicate actionlint false
positive; add a suppression for this workflow in the actionlint configuration
(the same style used for osv-scanner.yml) so actionlint ignores the
duplicate-runner warning for the .github/workflows/codeql.yml workflow. Update
actionlint.yaml to include an entry that targets the codeql.yml workflow path
and the duplicate-runner rule (matching the suppression format used for
osv-scanner.yml) so the false positive is suppressed without changing the
runs-on value.
---
Nitpick comments:
In @.github/workflows/codeql.yml:
- Around line 23-27: The workflow contains a no-op "fail-fast: false" under the
strategy block because the matrix only defines a single language
("javascript-typescript"); remove the "fail-fast: false" line from the strategy
section in the codeql.yml to tidy the config (or alternatively keep it commented
with a note if you intend to expand the matrix later), ensuring you edit the
"strategy" / "matrix" -> "language" area where "javascript-typescript" is
defined.
tobyhede
force-pushed
the
automations
branch
from
6080cce to
2182c80
Compare
Add static analysis (CodeQL) and dependency vulnerability scanning (OSV-Scanner) to CI. Both run on push/PR to main and weekly on Monday 08:00 UTC. Results upload to GitHub Security tab via SARIF.
There was a problem hiding this comment.
♻️ Duplicate comments (2)
.github/workflows/osv-scanner.yml (2)
21-21:⚠️ Potential issue | 🟠 MajorSame unknown runner label as
codeql.yml— verifyblacksmith-4vcpu-ubuntu-2404.Same concern as flagged in
codeql.ymlLine 21.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/osv-scanner.yml at line 21, The workflow uses a nonstandard runner label "blacksmith-4vcpu-ubuntu-2404" in the runs-on key which matches the same unknown label flagged in codeql.yml; verify that this custom runner name is intentional and available in your GitHub Actions self-hosted fleet or replace it with a supported runner (e.g., "ubuntu-24.04" or another approved label) so the workflow can run; update the runs-on value in .github/workflows/osv-scanner.yml (and ensure consistency with the runs-on used in codeql.yml) to the correct, existing runner label.
27-31:⚠️ Potential issue | 🟠 MajorSARIF is still not uploaded; missing target directory in
scan-args.
google/osv-scanner-action/osv-scanner-action@v2.3.3is the low-level composite action — it is invoked internally by the reusable workflowosv-scanner-reusable.yml, which handles SARIF generation and upload. Using the composite action directly skips the upload step, so the PR description's claim of "Scan results are uploaded to the GitHub Security tab using SARIF" remains incorrect.Additionally,
scan-argsshould include the target directory (./) alongside--recursive; without it the scan may not behave as expected.Replace the job with the reusable workflow:
🔧 Proposed fix: switch to reusable workflow for SARIF upload
jobs: - osv-scan: - name: OSV Vulnerability Scan - runs-on: blacksmith-4vcpu-ubuntu-2404 - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Run OSV-Scanner - uses: google/osv-scanner-action/osv-scanner-action@v2.3.3 - with: - scan-args: |- - --recursive + osv-scan: + uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.3 + with: + scan-args: |- + --recursive + ./ + permissions: + security-events: write + contents: read + actions: read🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/osv-scanner.yml around lines 27 - 31, The job currently calls the low-level composite action google/osv-scanner-action/osv-scanner-action@v2.3.3 which skips SARIF upload; replace that job with the reusable workflow `osv-scanner-reusable.yml` (the reusable workflow that handles SARIF generation and upload) and when supplying scan-args ensure you include the target directory (add "./" alongside `--recursive`) so the scanner runs the intended tree; update the job invocation to call the reusable workflow and pass `scan-args: --recursive ./` (or the equivalent multiline form) so SARIF is produced and uploaded to the Security tab.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/workflows/osv-scanner.yml:
- Line 21: The workflow uses a nonstandard runner label
"blacksmith-4vcpu-ubuntu-2404" in the runs-on key which matches the same unknown
label flagged in codeql.yml; verify that this custom runner name is intentional
and available in your GitHub Actions self-hosted fleet or replace it with a
supported runner (e.g., "ubuntu-24.04" or another approved label) so the
workflow can run; update the runs-on value in .github/workflows/osv-scanner.yml
(and ensure consistency with the runs-on used in codeql.yml) to the correct,
existing runner label.
- Around line 27-31: The job currently calls the low-level composite action
google/osv-scanner-action/osv-scanner-action@v2.3.3 which skips SARIF upload;
replace that job with the reusable workflow `osv-scanner-reusable.yml` (the
reusable workflow that handles SARIF generation and upload) and when supplying
scan-args ensure you include the target directory (add "./" alongside
`--recursive`) so the scanner runs the intended tree; update the job invocation
to call the reusable workflow and pass `scan-args: --recursive ./` (or the
equivalent multiline form) so SARIF is produced and uploaded to the Security
tab.
2182c80 to
4068a4d
Compare
yujiyokoo
left a comment
yujiyokoo
left a comment
There was a problem hiding this comment.
Nice. Newly-added OSV is failing in CI
Set fail-on-vuln to false so vulnerability scan results are reported to GitHub Security tab without failing CI. Current findings are all low/medium severity in transitive dev dependencies.
There was a problem hiding this comment.
🧹 Nitpick comments (2)
.github/workflows/codeql.yml (2)
34-34: Upgradegithub/codeql-actionfromv3tov4.Node.js 20.x — the runtime used by CodeQL Action v3 — reaches end-of-life on 30 April 2026; v4, which uses Node.js 24, has been released to address this. CodeQL Action v3 will be deprecated in December 2026, and the action now logs a warning for customers running v3 who could be running v4. GitHub recommends referencing the action using
v4to automatically pick up the latest bug fixes, new features, and updated CodeQL CLI versions.⬆️ Proposed upgrade to CodeQL Action v4
- uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@v4 # or remove entirely, see next comment - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v4Also applies to: 39-39, 42-42
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/codeql.yml at line 34, The workflow is pinning CodeQL Action to v3 (uses: github/codeql-action/init@v3), which is deprecated; update every occurrence of that action reference (including other instances matching "uses: github/codeql-action/init@v3" in the file) to use v4 (uses: github/codeql-action/init@v4) so the workflow runs the CodeQL Action that uses Node.js 24 and receives current fixes and updates; ensure both the init and any other CodeQL action references in the file are consistently changed to `@v4`.
38-39:autobuildis unnecessary forjavascript-typescriptand can be replaced withbuild-mode: none.The
nonebuild mode creates the database without building the source code and is available for all interpreted languages. Theautobuildbuild mode attempts to automatically build the source code and is only available for compiled languages. Runningautobuildon a JS/TS project adds unnecessary overhead and will be a no-op at best.♻️ Proposed refactor to skip autobuild for interpreted language
- name: Initialize CodeQL uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} + build-mode: none - - name: Autobuild - uses: github/codeql-action/autobuild@v4 - - name: Perform CodeQL Analysis🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/codeql.yml around lines 38 - 39, The workflow step named "Autobuild" is unnecessary for this JavaScript/TypeScript repo; replace the step that uses github/codeql-action/autobuild@v3 with the CodeQL analyze action configured to skip building (use github/codeql-action/analyze@v3 and set build-mode: none in the step's with: block), and ensure languages includes javascript and/or typescript as appropriate; update or remove the old "Autobuild" usage so the job creates the DB without attempting an autobuild.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/workflows/codeql.yml:
- Line 34: The workflow is pinning CodeQL Action to v3 (uses:
github/codeql-action/init@v3), which is deprecated; update every occurrence of
that action reference (including other instances matching "uses:
github/codeql-action/init@v3" in the file) to use v4 (uses:
github/codeql-action/init@v4) so the workflow runs the CodeQL Action that uses
Node.js 24 and receives current fixes and updates; ensure both the init and any
other CodeQL action references in the file are consistently changed to `@v4`.
- Around line 38-39: The workflow step named "Autobuild" is unnecessary for this
JavaScript/TypeScript repo; replace the step that uses
github/codeql-action/autobuild@v3 with the CodeQL analyze action configured to
skip building (use github/codeql-action/analyze@v3 and set build-mode: none in
the step's with: block), and ensure languages includes javascript and/or
typescript as appropriate; update or remove the old "Autobuild" usage so the job
creates the DB without attempting an autobuild.
ℹ️ Review info
Configuration used: defaults
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
.github/workflows/codeql.yml.github/workflows/osv-scanner.yml
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/workflows/osv-scanner.yml
Upgrade codeql-action from v3 to v4 (v3 deprecated December 2026). Remove unnecessary Autobuild step since JavaScript/TypeScript analysis does not require a build.
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/codeql.yml (1)
34-36: Good: CodeQL Action v4 is the correct current version.
github/codeql-action/init@v4runs on the Node.js 24 runtime and is the recommended major version. Referencing the CodeQL Action by major version tag (e.g.v4) ensures the workflow automatically picks up the latest release within that major version, including bug fixes, new features, and updated CodeQL CLI versions.Consider explicitly adding
queries: security-extendedto theinitstep for broader OWASP/CWE query coverage beyond the default suite:🔍 Suggested addition for broader query coverage
- name: Initialize CodeQL uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} + queries: security-extended🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/codeql.yml around lines 34 - 36, Add the CodeQL queries option to the init step so the workflow runs the broader OWASP/CWE suite; update the github/codeql-action/init@v4 invocation (the init step) to include queries: security-extended in its with: block so CodeQL executes the extended security query pack in addition to the defaults.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/workflows/codeql.yml:
- Around line 34-36: Add the CodeQL queries option to the init step so the
workflow runs the broader OWASP/CWE suite; update the
github/codeql-action/init@v4 invocation (the init step) to include queries:
security-extended in its with: block so CodeQL executes the extended security
query pack in addition to the defaults.
3 participants
Add static analysis (CodeQL) and dependency vulnerability scanning (OSV-Scanner) to CI. Both run on push/PR to main and weekly on Monday 08:00 UTC. Results upload to GitHub Security tab via SARIF.
Summary by CodeRabbit