CodeQL Findings Remediation Hotfix#721
Conversation
… enhance JS scan script
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
There was a problem hiding this comment.
Pull request overview
Aligns local/pre-commit CodeQL JS scanning with CI configuration and expands workflow triggers to cover additional branch patterns, while adding parity checks and documentation for the remediation validation.
Changes:
- Updated JS CodeQL pre-commit scan to use repository root scope and CI Code Scanning config.
- Expanded CodeQL workflow
pushbranch patterns and enforced parity checks for JS tasks/commands. - Added QA/reporting documentation for the CodeQL hardening validation and alert origin mapping.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/pre-commit-hooks/codeql-js-scan.sh | Aligns local CodeQL DB creation with CI scope and config. |
| scripts/ci/check-codeql-parity.sh | Updates parity assertions for workflow branches and VS Code JS task wiring. |
| .github/workflows/codeql.yml | Expands push triggers to include feature/fix branch patterns. |
| .vscode/tasks.json | Switches JS CodeQL task to call the shared pre-commit script. |
| docs/reports/qa_report.md | Documents validation steps/results for the CodeQL hardening. |
| docs/reports/codeql_pr718_origin_map.md | Adds a report mapping high alerts to introducing commits. |
|
| Severity | Count |
|---|---|
| 🔴 Critical | 0 |
| 🟠 High | 1 |
| 🟡 Medium | 9 |
| 🟢 Low | 1 |
| Total | 11 |
📎 Artifacts
- SBOM (CycloneDX JSON) and Grype results available in workflow artifacts
Generated by Supply Chain Verification workflow • View Details
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
…ove SARIF file handling
…for database creation
… feature branches
- Removed unnecessary fields from logs where applicable to reduce clutter and focus on essential information. - Ensured consistent logging practices to enhance security and prevent log injection vulnerabilities.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…t and coverage reporting
…ekly-non-major-updates fix(deps): update weekly-non-major-updates (feature/beta-release)
… up ignored files
…rgets and comments
Wikid82
added
critical
…uential operations
…stency across scripts and tests
…proved functionality
2 participants
No description provided.