diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 0000000..d471048 --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,14 @@ +name: dmarcheck CodeQL config + +# Exclude test files from CodeQL analysis. +# +# Why: tests use String.includes() on warning-message strings as assertions +# (e.g. expect(v.message.includes("example.com")).toBe(true)). The +# js/incomplete-url-substring-sanitization rule fires on these as if they were +# URL sanitization gates, but they have no URL flow, no fetch, and no auth +# boundary — the .includes() runs on the asserted output, not user input. +# Tests are not shipped to the Worker runtime, so the security blast radius +# of excluding them is zero. +paths-ignore: + - test/** + - "**/*.test.ts" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..e540f9d --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,42 @@ +name: CodeQL + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + # Weekly full scan, Monday 12:23 UTC. Keeps coverage for branches that + # aren't being actively PR'd. + - cron: "23 12 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + permissions: + security-events: write + packages: read + actions: read + contents: read + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + - language: javascript-typescript + build-mode: none + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: github/codeql-action/init@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3.36.0 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + config-file: ./.github/codeql/codeql-config.yml + - uses: github/codeql-action/analyze@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3.36.0 + with: + category: "/language:${{ matrix.language }}"