ci: add CodeQL analysis for Python and GitHub Actions#1053
Conversation
Enables CodeQL security scanning with python and actions language analyzers using the security-and-quality query suite. The actions analyzer detects workflow vulnerabilities like script injection, missing permissions, and untrusted checkout. Co-Authored-By: AJ Steers <aj@airbyte.io>
Co-Authored-By: AJ Steers <aj@airbyte.io>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
👋 Greetings, Airbyte Team Member!Here are some helpful tips and reminders for your convenience. 💡 Show Tips and TricksTesting This PyAirbyte VersionYou can test this version of PyAirbyte using the following: # Run PyAirbyte CLI from this branch:
uvx --from 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1783103177-add-codeql' pyairbyte --help
# Install PyAirbyte from this branch for development:
pip install 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1783103177-add-codeql'PR Slash CommandsAirbyte Maintainers can execute the following slash commands on your PR:
📚 Show Repo GuidanceHelpful ResourcesCommunity SupportQuestions? Join the #pyairbyte channel in our Slack workspace. |
|
Warning Review limit reached
Next review available in: 39 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughAdds a new GitHub Actions workflow for CodeQL vulnerability checks on pushes, pull requests, and a weekly schedule. It runs a matrix job for ChangesCodeQL Workflow Setup
Estimated code review effort: 1 (Trivial) | ~5 minutes Related Issues: None provided. Suggested labels: ci, security Suggested reviewers: None provided. 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/codeql.yml (1)
30-41: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winCould you pin
actions/checkoutandgithub/codeql-actionto reviewed SHAs, and bump CodeQL from@v3to@v4? In.github/workflows/codeql.yml, the workflow still relies on mutable major tags; pinning them would better match the supply-chain hardening this job is meant to provide.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/codeql.yml around lines 30 - 41, The CodeQL workflow is still using mutable action tags, so update the checkout and CodeQL steps in the workflow to reference reviewed commit SHAs instead of version tags. Locate the `actions/checkout` usage and the `github/codeql-action/init` and `github/codeql-action/analyze` steps, pin each to a reviewed SHA, and bump the CodeQL action reference from v3 to v4 while keeping the existing workflow behavior unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/codeql.yml:
- Around line 30-41: The CodeQL workflow is still using mutable action tags, so
update the checkout and CodeQL steps in the workflow to reference reviewed
commit SHAs instead of version tags. Locate the `actions/checkout` usage and the
`github/codeql-action/init` and `github/codeql-action/analyze` steps, pin each
to a reviewed SHA, and bump the CodeQL action reference from v3 to v4 while
keeping the existing workflow behavior unchanged.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 9688765f-31ae-4fa3-82ec-8968c2e4ecad
📒 Files selected for processing (1)
.github/workflows/codeql.yml
Code Coverage OverviewLanguages: Python Python / code-coverage/pytest-fastThe overall coverage in the branch is 67%. The coverage in the branch is 65%. Show a code coverage summary of the most impacted files.
Python / code-coverage/pytest-no-credsThe overall coverage in the branch is 67%. The coverage in the branch is 65%. Show a code coverage summary of the most impacted files.
Python / code-coverage/pytestThe overall coverage in the branch is 72%. The coverage in the branch is 71%. Show a code coverage summary of the most impacted files.
Updated |
Co-Authored-By: AJ Steers <aj@airbyte.io>
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/codeql-vulnerability-checks.yml (1)
32-32: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winConsider upgrading to
codeql-actionv4.
github/codeql-actionv3 is scheduled for deprecation in December 2026 and already surfaces Node.js 20 deprecation warnings in workflow runs today. Since v4 has been GA since October 2025 with no breaking changes for this basic setup, would it make sense to pininit/analyze(andactions/checkout, already on v4) to@v4now to avoid a forced migration later, wdyt?♻️ Suggested version bump
- name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} queries: security-and-quality - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v4 with: category: "/language:${{ matrix.language }}"Also applies to: 37-37, 43-43
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/codeql-vulnerability-checks.yml at line 32, The workflow is still using the older codeql-action version, so update the CodeQL setup steps to the v4 release alongside the existing actions/checkout v4 pin. In the codeql-vulnerability-checks workflow, change the action references for the code scanning initialization and analysis steps (the ones using the CodeQL init/analyze actions) to `@v4` so the workflow stays current and avoids the upcoming deprecation.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/codeql-vulnerability-checks.yml:
- Line 32: The workflow is still using the older codeql-action version, so
update the CodeQL setup steps to the v4 release alongside the existing
actions/checkout v4 pin. In the codeql-vulnerability-checks workflow, change the
action references for the code scanning initialization and analysis steps (the
ones using the CodeQL init/analyze actions) to `@v4` so the workflow stays current
and avoids the upcoming deprecation.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 3610aa5e-38df-4d07-9407-03eceaf978c8
📒 Files selected for processing (1)
.github/workflows/codeql-vulnerability-checks.yml
Co-Authored-By: AJ Steers <aj@airbyte.io>
Co-Authored-By: AJ Steers <aj@airbyte.io>
Co-Authored-By: AJ Steers <aj@airbyte.io>
Summary
Adds CodeQL security scanning with
pythonandactionslanguage analyzers using thesecurity-and-qualityquery suite.The
actionsanalyzer detects GitHub Actions-specific vulnerabilities like script injection (actions/dangerous-action-command), missing permissions blocks, and untrusted checkout.Runs on push/PR to
mainand weekly on Monday.Link to Devin session: https://app.devin.ai/sessions/fe5d63b3474f4fe6990b6f8f7a47f8ed
Requested by: Aaron ("AJ") Steers (@aaronsteers)
Summary by CodeRabbit
Important
Auto-merge enabled.
This PR is set to merge automatically when all requirements are met.