From 5d05b19c8b4a5e4ecf7ebf66d9a7d1ad908762b9 Mon Sep 17 00:00:00 2001 From: Ricardo Esteves <30535937+RicardoGEsteves@users.noreply.github.com> Date: Tue, 23 Jan 2024 23:31:33 +0000 Subject: [PATCH] chore: :wrench: Type: Chore | Scope: .github/codeql-config.yml | Title: Simplify CodeQL configuration (#70) Description: - This commit simplifies the CodeQL configuration in the .github/codeql-config.yml file. - The previous configuration details for the Node.js Security Scan and database connection have been removed. - This change streamlines the configuration, making it easier to maintain and understand. Details: - The previous configuration was more complex and included unnecessary details for a hosted database connection and a specific Node.js Security Scan. - The new configuration is simpler and more generic, which makes it easier to maintain and understand. Changeset: - .github/codeql-config.yml: Removed specific Node.js Security Scan configuration and database connection details. This commit simplifies the CodeQL configuration in the .github/codeql-config.yml file. The previous configuration details for the Node.js Security Scan and database connection have been removed. This change streamlines the configuration, making it easier to maintain and understand. Footer: Co-authored-by: Ricardo Esteves 30535937+RicardoGEsteves@users.noreply.github.com Related to: #60 --- .github/codeql-config.yml | 103 +++++++++++++++++--------------------- .github/dependabot.yml | 2 - 2 files changed, 45 insertions(+), 60 deletions(-) diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml index d94faf9..de9cf76 100644 --- a/.github/codeql-config.yml +++ b/.github/codeql-config.yml @@ -1,58 +1,45 @@ -name: Node.js Security Scan Configuration -description: Scans Node.js projects for potential security issues using CodeQL -language: typescript -version: 1.0.2 - -connection: - database: - type: hosted - # url: https://codeql.codecov.io/ - # token: - -queries: - - name: Unused Variables - query: | - from sources - where sources.code.contains("unused") - select sources.code.location, sources.code, "Unused variable detected" - - - name: Insecure Dependency Usage - query: | - from dependencies - where dependencies.version < "16.13.1" - and dependencies.product = "npm:react-dom" - select dependencies.name, dependencies.version, "Insecure react-dom version used" - - - name: NoESLint - query: | - from sources - where not sources.code.contains("eslint") - select sources.code.location, sources.code, "Missing ESLint" - - - name: XSS Vulnerabilities - query: | - from sources - where sources.code.matches("(dangerousXSSMethod|unsafePattern)") - select sources.code.location, sources.code, "Potential XSS vulnerability" - - - name: Injection Vulnerabilities - query: | - from sources - where sources.code.matches("(dangerousSQLQuery|unvalidatedInput)") - select sources.code.location, sources.code, "Possible injection vulnerability" - - - name: Improper Error Handling - query: | - from controlflow - where controlflow.reachesExit() and not controlflow.traversesCatch() - select controlflow, "Improper error handling" - -languages: - - javascript - - typescript - -environments: - - name: Node.js - variables: - - name: NODE_PATH - value: "./node_modules" +name: "Advanced CodeQL Analysis" + +on: + push: + branches: [main, develop] + pull_request: + branches: [main, develop] + schedule: + - cron: "0 1 * * 0" + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + node: ["20", "21", "lts/*"] + language: ["javascript"] + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: ${{ matrix.node }} + cache: "npm" + + - name: Install Dependencies + run: npm ci + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2.16.0 + with: + languages: ${{ matrix.language }} + config-file: ./.github/codeql/codeql-config.yml + + - name: Autobuild + uses: github/codeql-action/autobuild@v2.16.0 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2.16.0 diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 11d76e4..86a9d72 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,8 +5,6 @@ updates: schedule: interval: "daily" open-pull-requests-limit: 30 - ignore: - - dependency-name: "pnpm" - package-ecosystem: "github-actions" directory: "/"