Skip to content

ci: add CodeQL static security analysis#104

Merged
sspaink merged 1 commit into
open-policy-agent:mainfrom
sspaink:ci/codeql
Jul 14, 2026
Merged

ci: add CodeQL static security analysis#104
sspaink merged 1 commit into
open-policy-agent:mainfrom
sspaink:ci/codeql

Conversation

@sspaink

@sspaink sspaink commented Jul 6, 2026

Copy link
Copy Markdown
Member

What

Adds GitHub CodeQL static security analysis for the Java sources.

  • Runs on PRs, pushes to main, and a weekly schedule (so newly disclosed queries re-scan existing code).
  • Uses the security-and-quality query suite.
  • Performs a manual Gradle compile (compileJava compileTestJava -x test) so CodeQL traces every module's compilation; correctness is already covered by the per-module test jobs.

Why

The SDK includes crypto, token, and JSON-deserialization modules where injection / crypto-misuse / unsafe-deserialization issues are worth catching automatically. CodeQL is free for this OSS repo.

Notes

  • Actions are hash-pinned to match the repo's zizmor policy.
  • Results surface in the repo's Security -> Code scanning tab.

Comment thread .github/workflows/codeql.yml Fixed
Comment thread .github/workflows/codeql.yml Fixed
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Runs CodeQL's java-kotlin analysis with the security-and-quality query
suite on PRs, pushes to main, and a weekly schedule. Uses a manual
Gradle build (compile only, tests excluded) so CodeQL traces every
module's compilation.

Signed-off-by: Sebastian Spaink <sebastianspaink@gmail.com>
@sspaink
sspaink requested a review from a team July 6, 2026 21:27

@kroekle kroekle left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sspaink
sspaink merged commit 8701da3 into open-policy-agent:main Jul 14, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants