gui.do / barazo-api
Barazo AppView backend barazo.forum
fork atom

ci(codeql): switch to advanced setup, exclude Fastify false positive (#68)

The js/missing-rate-limiting rule does not recognise @fastify/rate-limit's
per-route config.rateLimit pattern and flags every route handler as
unprotected. All flagged routes already have rate limiting configured.

Switch from CodeQL default setup to an advanced workflow with a custom
config that excludes this rule while keeping the security-extended suite.

authored by

Guido X Jansen and committed by
GitHub c4a89116 a5a15c70

+50
+11
.github/codeql/codeql-config.yml
··· 1 + # CodeQL configuration for barazo-api 2 + # Uses the extended query suite with exclusions for false positives. 3 + 4 + name: 'Barazo API CodeQL Config' 5 + 6 + # Exclude queries that produce false positives with Fastify. 7 + # js/missing-rate-limiting does not recognise @fastify/rate-limit's 8 + # per-route config.rateLimit option and flags every handler as unprotected. 9 + query-filters: 10 + - exclude: 11 + id: js/missing-rate-limiting
+39
.github/workflows/codeql.yml
··· 1 + name: CodeQL 2 + 3 + on: 4 + push: 5 + branches: [main] 6 + pull_request: 7 + branches: [main] 8 + schedule: 9 + # Run weekly on Monday at 06:00 UTC 10 + - cron: '0 6 * * 1' 11 + 12 + permissions: 13 + contents: read 14 + security-events: write 15 + 16 + jobs: 17 + analyze: 18 + name: Analyze 19 + runs-on: ubuntu-latest 20 + 21 + strategy: 22 + fail-fast: false 23 + matrix: 24 + language: [javascript-typescript] 25 + 26 + steps: 27 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 28 + 29 + - name: Initialize CodeQL 30 + uses: github/codeql-action/init@45580472a5bb82c4681c4ac726cfdb60060c2ee1 # v3 31 + with: 32 + languages: ${{ matrix.language }} 33 + config-file: .github/codeql/codeql-config.yml 34 + queries: security-extended 35 + 36 + - name: Perform CodeQL Analysis 37 + uses: github/codeql-action/analyze@45580472a5bb82c4681c4ac726cfdb60060c2ee1 # v3 38 + with: 39 + category: '/language:${{ matrix.language }}'