Skip to content

Add CodeQL Analysis workflow for automated security scanning#11

Draft
Copilot wants to merge 2 commits intomainfrom
copilot/fix-a300f28b-9691-46fa-8b25-94f23075f78c
Draft

Add CodeQL Analysis workflow for automated security scanning#11
Copilot wants to merge 2 commits intomainfrom
copilot/fix-a300f28b-9691-46fa-8b25-94f23075f78c

Conversation

Copy link
Copy Markdown

Copilot AI commented Sep 9, 2025
edited
Loading

This PR adds a CodeQL Analysis workflow to enhance code security and automatically identify vulnerabilities in the repository. The workflow follows GitHub's recommended security practices for continuous code analysis.

What's Added

  • .github/workflows/codeql.yml - A comprehensive CodeQL workflow configuration

Key Features

  • Language Support: Configured for JavaScript/TypeScript analysis, covering the primary runtime languages used across all gateway and verifier packages
  • Comprehensive Triggers:
    • Runs on every push to the main branch
    • Analyzes pull requests targeting main before merge
    • Includes weekly scheduled scans (Mondays at 17:24 UTC) for continuous monitoring
  • Security-First Configuration: Proper permissions for security-events, packages, actions, and contents
  • Production Ready: Uses latest CodeQL actions (v4/v3) with 360-minute timeout and fail-fast disabled for complete analysis

Implementation Details

The workflow uses GitHub's standard CodeQL template with customizations for this monorepo structure:

- Language: javascript-typescript
- Build Mode: none (no compilation required)  
- Runner: ubuntu-latest
- Strategy: Matrix-based analysis with comprehensive coverage

Benefits

  1. Automated Security Scanning: Identifies potential security vulnerabilities in TypeScript/JavaScript code
  2. PR Integration: Security analysis runs before code is merged to main
  3. Continuous Monitoring: Weekly scans catch newly discovered vulnerability patterns
  4. Zero Maintenance: Fully automated with no impact on existing CI workflows

Repository Analysis

The workflow targets JavaScript/TypeScript files which represent the core operational code:

  • 11,788+ TypeScript files
  • 27,498+ JavaScript files
  • Gateway services, build scripts, and runtime logic

While the repository also contains 2,062 Solidity smart contract files, CodeQL doesn't currently support Solidity analysis. The JavaScript/TypeScript focus provides comprehensive security coverage for all runtime and operational code.

The workflow will begin running immediately upon merge and will populate the repository's Security tab with any findings.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/repos/dapphub/ds-test/tarball/
    • Triggering command: bun install --ignore-scripts (http block)
  • https://api.github.com/repos/ethereumjs/ethereumjs-abi/tarball/
    • Triggering command: REDACTED, pid is -1 (http block)

If you need me to access, download, or install something from one of these locations, you can either:

This pull request was created as a result of the following prompt from Copilot chat.

Add a CodeQL Analysis workflow to this repository to enhance code security and identify vulnerabilities. Use the standard CodeQL workflow template provided by GitHub and target the primary programming languages used in this repository. Ensure the workflow runs on pull requests and pushes to the default branch.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@conjon611
Add CodeQL Analysis workflow for automated security scanning
ea26e9d 
Co-authored-by: conjon611 <35982885+conjon611@users.noreply.github.com>
Copilot AI changed the title [WIP] Enable CodeQL Analysis workflow Add CodeQL Analysis workflow for automated security scanning Sep 9, 2025
Copilot AI requested a review from conjon611 September 9, 2025 18:29
@conjon611 conjon611 marked this pull request as ready for review February 4, 2026 06:01
Copilot AI review requested due to automatic review settings February 4, 2026 06:01
@conjon611 conjon611 marked this pull request as draft February 4, 2026 06:01
Copilot AI reviewed Feb 4, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a CodeQL security analysis workflow to enable automated vulnerability scanning of the JavaScript/TypeScript codebase. The workflow is configured to run on pushes to main, pull requests targeting main, and on a weekly schedule.

Changes:

  • Added .github/workflows/codeql.yml with CodeQL analysis configuration for JavaScript/TypeScript
  • Configured workflow triggers for push, pull requests, and scheduled scans (weekly on Mondays)
  • Set up proper permissions for security scanning with appropriate timeout and fail-fast settings

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@conjon611 conjon611 conjon611 approved these changes

Copilot code review Copilot Copilot left review comments

Assignees

@conjon611 conjon611

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@conjon611