Update regex for GitHub hosted runner matching

JarLob · web-flow · commit 9078b511c678 · 2026-06-12T09:37:18.000+03:00
Fixes false positives (of critical severity). New label naming conventions were introduced since the query was initially written.
diff --git a/actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll b/actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll
@@ -5,7 +5,7 @@ predicate isGithubHostedRunner(string runner) {
   // list of github hosted repos: https://github.com/actions/runner-images/blob/main/README.md#available-images
   runner
       .toLowerCase()
-      .regexpMatch("^(ubuntu-([0-9.]+|latest)|macos-([0-9]+|latest)(-x?large)?|windows-([0-9.]+|latest))$")
+      .regexpMatch("^(ubuntu-([0-9.]+|latest)(-arm)?|macos-([0-9]+|latest)(-x?large|-intel)?|windows-([0-9.]+|latest)(-arm|-vs[0-9.]+)?)$")
 }
 
 bindingset[runner]

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@ predicate isGithubHostedRunner(string runner) {`
`5`	`5`	`// list of github hosted repos: https://github.com/actions/runner-images/blob/main/README.md#available-images`
`6`	`6`	`runner`
`7`	`7`	`.toLowerCase()`
`8`		`- .regexpMatch("^(ubuntu-([0-9.]+\|latest)\|macos-([0-9]+\|latest)(-x?large)?\|windows-([0-9.]+\|latest))$")`
	`8`	`+ .regexpMatch("^(ubuntu-([0-9.]+\|latest)(-arm)?\|macos-([0-9]+\|latest)(-x?large\|-intel)?\|windows-([0-9.]+\|latest)(-arm\|-vs[0-9.]+)?)$")`
`9`	`9`	`}`
`10`	`10`
`11`	`11`	`bindingset[runner]`