diff --git a/.github/workflows/cmake-single-platform.yml b/.github/workflows/cmake-single-platform.yml
index a0cb60102e27..0e827eb3523d 100644
--- a/.github/workflows/cmake-single-platform.yml
+++ b/.github/workflows/cmake-single-platform.yml
@@ -1,147 +1,265 @@
-Here's an updated `cmake-single-platform.yml` workflow that builds your CMake project with SLSA Level 3 provenance and enhanced security:
+We'll set up a GitHub Actions workflow to deploy your Nuxt application to GitHub Pages. The example below uses the official `github_pages` preset for optimal compatibility.
+
+### 📁 Workflow file: `.github/workflows/deploy.yml`
```yaml
-name: CMake Build (Single Platform) with SLSA L3
+name: Deploy Nuxt to GitHub Pages
on:
push:
- branches: [main]
- pull_request:
- release:
- types: [published]
- workflow_dispatch:
-
-permissions:
- id-token: write # OIDC token for Sigstore signing
- contents: read # Minimal read-only access
- packages: write # Only needed if publishing packages
+ branches: [main] # Trigger on pushes to main branch
+ workflow_dispatch: # Allow manual trigger
jobs:
- cmake-build:
+ build:
runs-on: ubuntu-latest
- outputs:
- base64-subjects: ${{ steps.hashes.outputs.base64_subjects }}
- artifacts-name: artifacts-${{ github.run_id }}
-
steps:
- - name: Checkout code
- uses: actions/checkout@v4
+ - uses: actions/checkout@v4
+ - run: corepack enable # Ensures pnpm/yarn are available if needed
+ - uses: actions/setup-node@v4
with:
- fetch-depth: 0 # Required for full commit history in provenance
-
- - name: Install dependencies
- run: sudo apt-get update && sudo apt-get install -y build-essential cmake
-
- - name: Configure CMake
- run: cmake -B build -DCMAKE_BUILD_TYPE=Release
-
- - name: Build project
- run: cmake --build build --config Release --parallel 4
-
- - name: Create artifacts directory
- run: mkdir -p artifacts
-
- - name: Collect binaries
- run: |
- find build -type f -executable -exec cp {} artifacts/ \;
- # Add other artifacts as needed (libraries, config files, etc.)
-
- - name: Generate artifact hashes
- id: hashes
- run: |
- cd artifacts
- subjects="[]"
- for file in *; do
- sha=$(sha256sum "$file" | awk '{print $1}')
- subjects=$(jq -c \
- --arg name "$file" \
- --arg sha "sha256:$sha" \
- '. += [{"name": $name, "digest": $sha}]' \
- <<< "$subjects")
- done
- echo "base64_subjects=$(echo -n "$subjects" | base64 -w0)" >> $GITHUB_OUTPUT
-
- - name: Upload artifacts
- uses: actions/upload-artifact@v4
+ node-version: 20
+ - run: npm ci # Clean install (use `npm install` if you prefer)
+ - run: npx nuxt build --preset github_pages
+ - name: Upload Pages artifact
+ uses: actions/upload-pages-artifact@v3
with:
- name: ${{ steps.hashes.outputs.artifacts-name }}
- path: artifacts/
- retention-days: 5 # Auto-clean old artifacts
+ path: ./.output/public
- provenance:
- needs: [cmake-build]
- uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
+ deploy:
+ needs: build
permissions:
- id-token: write # For Sigstore signing
- contents: write # For release assets
- actions: read # For reusable workflow
- with:
- base64-subjects: ${{ needs.cmake-build.outputs.base64-subjects }}
- upload-artifacts-name: ${{ needs.cmake-build.outputs.artifacts-name }}
- upload-assets: ${{ github.event_name == 'release' && github.event.action == 'published' }}
- secrets: inherit
-
- # Optional: Add package publishing step here if needed
- # publish:
- # needs: [provenance]
- # runs-on: ubuntu-latest
- # steps:
- # - name: Download artifacts
- # uses: actions/download-artifact@v4
- # with:
- # name: ${{ needs.cmake-build.outputs.artifacts-name }}
- #
- # # Add your package publishing commands here
+ pages: write
+ id-token: write
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+ steps:
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v4
+```
+
+### ⚙️ Required Nuxt configuration
+
+In your `nuxt.config.ts` (or `.js`), set the `baseURL` to match your repository name. Also avoid underscores in the build assets directory to prevent issues with GitHub Pages' Jekyll processing.
+
+```ts
+export default defineNuxtConfig({
+ app: {
+ baseURL: '/your-repo-name/', // Replace with your repository name
+ buildAssetsDir: 'assets' // Do NOT start with '_'
+ }
+})
+```
+
+### ✅ Prerequisites
+
+1. **Enable GitHub Pages** with **GitHub Actions** as the source:
+ Go to your repository **Settings → Pages → Build and deployment → Source** and select **GitHub Actions**.
+
+2. Ensure your default branch name matches the trigger (`main` in the example). Adjust if your branch is `master` or something else.
+
+3. Commit and push the workflow file and the updated `nuxt.config`. The next push to `main` will trigger a deployment.
+
+> If you were looking for a CMake workflow (you mentioned `cmake-single-platform.yml`), please clarify – but for Nuxt deployment to GitHub Pages, the above should work perfectly.
+It looks like you're asking about setting up a **large database** in the context of your Nuxt project and GitHub Actions. I'll cover two common scenarios:
+
+1. **Using a database during CI/CD** (e.g., running tests that need a real database).
+2. **Connecting your deployed Nuxt app to a production database** (a “big” managed database).
+
+---
+
+## 1. Database in GitHub Actions (for testing/CI)
+
+If you need a database to run tests or seed data during your workflow, you can use GitHub Actions **service containers**. Below is an example that adds a PostgreSQL service to the `build` job of the Nuxt deployment workflow.
+
+### Example workflow with PostgreSQL
+
+```yaml
+name: Deploy Nuxt + DB tests
+
+on:
+ push:
+ branches: [main]
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ services:
+ postgres:
+ image: postgres:15
+ env:
+ POSTGRES_USER: testuser
+ POSTGRES_PASSWORD: testpass
+ POSTGRES_DB: testdb
+ options: >-
+ --health-cmd pg_isready
+ --health-interval 10s
+ --health-timeout 5s
+ --health-retries 5
+ ports:
+ - 5432:5432
+ steps:
+ - uses: actions/checkout@v4
+ - run: corepack enable
+ - uses: actions/setup-node@v4
+ with:
+ node-version: 20
+ - run: npm ci
+ # Run database migrations / seeding
+ - run: npx prisma migrate deploy # if using Prisma
+ - run: npm run test # tests that use the DB
+ - run: npx nuxt build --preset github_pages
+ - uses: actions/upload-pages-artifact@v3
+ with:
+ path: ./.output/public
+
+ deploy: # same as before
+ # ...
```
-### Key Features:
-
-1. **Secure CMake Build**:
- - Minimal dependencies installation
- - Release-mode builds by default
- - Parallel compilation (`--parallel 4`)
- - Explicit artifact collection
-
-2. **SLSA L3 Provenance**:
- - Uses official SLSA generator v1.9.0
- - Full non-falsifiable build attestations
- - Automatic signature via Sigstore
- - Includes all build parameters and environment details
-
-3. **Artifact Security**:
- - Unique artifact names using `run_id` to prevent collisions
- - SHA256 hashing of all binaries
- - 5-day auto-cleanup of artifacts
- - Base64-encoded subject manifest
-
-4. **Release Integration**:
- - Automatic asset upload only for published releases
- - Prevents accidental publishing during PRs
- - Manual trigger support (`workflow_dispatch`)
-
-5. **Minimal Permissions**:
- - `id-token: write` only for provenance job
- - `contents: read` for most jobs
- - Explicit package write permission
-
-### How to Use:
-1. Place this file in `.github/workflows/cmake-single-platform.yml`
-2. Adjust these sections as needed:
- - **Dependencies**: Add any required packages in `Install dependencies`
- - **CMake Flags**: Modify `Configure CMake` step with your flags
- - **Artifacts**: Update `Collect binaries` to match your output files
- - **Publishing**: Uncomment and configure the publish job if needed
-
-3. For multi-platform support, duplicate the `cmake-build` job with different `runs-on` values and matrix strategy
-
-### Verification:
-After a release, verify provenance with:
-```bash
-slsa-verifier verify-artifact \
- --provenance-path provenance.json \
- --source-uri github.com/$YOUR_REPO \
- --builder-id https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 \
- YOUR_BINARY
+**Environment variables** for your app (e.g., `DATABASE_URL`) can be set via the `env` context in the step that runs your app/tests.
+
+---
+
+## 2. Production Database for Your Nuxt App
+
+If by “big database” you mean a production‑ready database (PostgreSQL, MySQL, MongoDB, etc.) that your deployed Nuxt app will use, you have several options:
+
+- **Managed cloud databases**:
+ - [Supabase](https://supabase.com/) (PostgreSQL, easy integration with Nuxt)
+ - [AWS RDS](https://aws.amazon.com/rds/)
+ - [Google Cloud SQL](https://cloud.google.com/sql)
+ - [MongoDB Atlas](https://www.mongodb.com/atlas)
+
+- **Database as a service with generous free tiers** (good for starting “big”):
+ - [Neon](https://neon.tech/) (serverless Postgres)
+ - [PlanetScale](https://planetscale.com/) (MySQL)
+ - [Supabase](https://supabase.com/)
+
+### Connecting to a production database from GitHub Pages
+
+GitHub Pages hosts **static files only**. If your Nuxt app is **static** (`npm run generate`), it cannot connect directly to a database on the client side. You have two approaches:
+
+1. **Use a serverless backend** (e.g., Supabase, Firebase, or your own API on a platform like Vercel/Railway) and call it from your static Nuxt app via `fetch`.
+2. **Use Nuxt's server routes** (if you deploy on a Node.js environment like Vercel, Netlify, or a VPS). But GitHub Pages only serves static files, so server routes won't work there.
+
+If you need a **hybrid** or **server‑side rendered** app with a database, consider deploying to:
+- [Vercel](https://vercel.com) (excellent Nuxt support)
+- [Netlify](https://netlify.com)
+- [Cloudflare Pages](https://pages.cloudflare.com)
+- A VPS (DigitalOcean, Hetzner) with a Node.js server.
+
+Then, in your GitHub Actions, you can:
+- Set the production `DATABASE_URL` as a [repository secret](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions).
+- Pass it to the build step if needed (e.g., for prerendering dynamic routes).
+- Or use it only when running migrations before deploying.
+
+### Example: Using a production database secret in GitHub Actions
+
+```yaml
+- name: Run migrations on production DB
+ env:
+ DATABASE_URL: ${{ secrets.PROD_DATABASE_URL }}
+ run: npx prisma migrate deploy
```
-This workflow provides cryptographic guarantees of build integrity while maintaining build performance and flexibility.
+---
+
+## 3. Need More Specifics?
+
+If you can clarify what you mean by “set all big database,” I can give more tailored guidance. For instance:
+
+- Are you looking to **run database migrations** as part of your GitHub Actions workflow?
+- Do you want to **set up a database service** for testing?
+- Are you trying to **connect your Nuxt app to a cloud database** in production?
+
+Just let me know!
+I understand you'd like more specific guidance on integrating a database with your Nuxt app and GitHub Actions. To give you the most helpful answer, I need a bit more context. Could you clarify:
+
+1. **Where do you plan to deploy your Nuxt app?**
+ - GitHub Pages (static only)
+ - Vercel / Netlify (supports serverless functions)
+ - A VPS or Node.js hosting (full server)
+
+2. **What kind of database?**
+ - PostgreSQL, MySQL, MongoDB, SQLite, etc.
+
+3. **What do you mean by “set all big database”?**
+ - Do you want to **spin up a database during CI** (for testing)?
+ - Do you want to **connect your production app to a cloud database**?
+ - Do you need help with **migrations** or **seeding** in the workflow?
+
+4. **Are you using an ORM like Prisma, Drizzle, or direct database drivers?**
+
+Once I know these details, I can provide a **tailored, step-by-step guide**.
+
+In the meantime, here’s a **common, concrete scenario** (many Nuxt developers use this):
+
+---
+
+### 🔥 Scenario: Static Nuxt app on GitHub Pages + Supabase (PostgreSQL) as backend
+
+**Goal:**
+- Deploy static Nuxt site to GitHub Pages.
+- Use Supabase as the “big database” (PostgreSQL with REST API).
+- Fetch data client‑side or via Supabase client.
+
+**Why this works:**
+- GitHub Pages serves static files.
+- Supabase provides a database and an API – no server needed.
+- You can manage schema and data through Supabase dashboard or migrations.
+
+#### Step‑by‑step:
+
+1. **Create a Supabase project** at [supabase.com](https://supabase.com).
+ - Get your project URL and anon/public key from **Settings → API**.
+
+2. **Install Supabase client** in your Nuxt app:
+ ```bash
+ npm install @supabase/supabase-js
+ ```
+
+3. **Create a Supabase plugin** (e.g., `plugins/supabase.client.ts`):
+ ```ts
+ import { createClient } from '@supabase/supabase-js'
+
+ export default defineNuxtPlugin(() => {
+ const supabase = createClient(
+ process.env.SUPABASE_URL,
+ process.env.SUPABASE_ANON_KEY
+ )
+ return {
+ provide: { supabase }
+ }
+ })
+ ```
+
+4. **Set environment variables** locally (`.env`) and in GitHub Actions (secrets).
+ For local dev:
+ ```
+ SUPABASE_URL=https://yourproject.supabase.co
+ SUPABASE_ANON_KEY=your-anon-key
+ ```
+ In GitHub repo: add these as secrets (`SUPABASE_URL`, `SUPABASE_ANON_KEY`).
+
+5. **Use Supabase in your pages/components**:
+ ```vue
+
+ ```
+
+6. **GitHub Actions workflow** (from previous answer) – just ensure the secrets are passed if needed at build time. If you only fetch client‑side, you don't need them at build time. If you need to prerender dynamic routes with data, you would pass them to the build step.
+
+7. **Deploy**: The workflow builds the static site and uploads to GitHub Pages. The app will talk to Supabase directly from the browser.
+
+---
+
+If this matches your needs, I can expand on any part. If not, please provide more specifics so I can tailor the solution.
diff --git a/CodeQL Advanced b/CodeQL Advanced
deleted file mode 100644
index 686c32a140b6..000000000000
--- a/CodeQL Advanced
+++ /dev/null
@@ -1,714 +0,0 @@
-Configuring CodeQL in advanced setup gives you granular control to customize scanning for your project's specific needs, going far beyond what default setup offers. You can fine-tune everything from scan triggers and operating systems to creating your own security queries.
-
-Here's a comparison to help you understand the core differences:
-
-| Feature | Default Setup | Advanced Setup |
-| :--- | :--- | :--- |
-| **Control** | Automated, minimal input | Full manual control |
-| **Configuration** | Simple UI-based | Editing YAML workflow files |
-| **Customization** | Limited | Extensive (triggers, OS, queries, etc.) |
-| **Workflow Location** | Automatically managed | `.github/workflows/` directory |
-| **Best For** | Quick start, standard needs | Complex projects, specific requirements |
-
-### ⚙️ Configure the Advanced Workflow
-
-The advanced setup revolves around modifying a CodeQL workflow file (typically `codeql-analysis.yml`) located in your repository's `.github/workflows` directory.
-
-**Set Scanning Triggers and Frequency**
-You can configure the workflow to run on specific events, on a schedule, or both. This is defined using the `on` key in the YAML file.
-
-- **Scan on Push and Pull Requests**: This is the standard practice for catching vulnerabilities as they are introduced. You can specify which branches to monitor.
-- **Avoid Unnecessary Scans**: Use `paths-ignore` to skip scanning PRs that only change certain files (like documentation), saving resources.
-- **Schedule Scans**: Run periodic scans (e.g., weekly) to catch new vulnerabilities from updated CodeQL queries, even during inactive periods.
-
-```yaml
-on:
- push:
- branches: [ main, protected ]
- pull_request:
- branches: [ main ]
- paths-ignore:
- - '**/*.md'
- - '**/*.txt'
- schedule:
- - cron: '20 14 * * 1' # Every Monday at 14:20 UTC
-```
-
-**Specify the Operating System and Languages**
-The `runs-on` key determines the OS of the runner. CodeQL supports `ubuntu-latest`, `windows-latest`, and `macos-latest`.
-
-- **For Swift code**, CodeQL uses macOS runners by default, which are more expensive. You can configure it to use a different runner for all steps except the build.
-- Use a **matrix strategy** to analyze multiple languages efficiently in parallel jobs. For compiled languages like Java, you may need to include custom build steps.
-
-```yaml
-jobs:
- analyze:
- name: Analyze
- runs-on: ubuntu-latest
- strategy:
- fail-fast: false
- matrix:
- language: [ 'javascript', 'python', 'java' ]
- steps:
- - name: Checkout repository
- uses: actions/checkout@v4
- - name: Initialize CodeQL
- uses: github/codeql-action/init@v4
- with:
- languages: ${{ matrix.language }}
-```
-
-### 🔍 Develop Custom Queries
-
-Advanced setup allows you to extend analysis by running additional queries, including those you write yourself.
-
-**Create a Query Pack**
-CodeQL queries are organized into "packs". To start writing your own, create a new pack using the CodeQL CLI, which generates a `qlpack.yml` file.
-```bash
-codeql pack init /
-```
-You then need to add dependencies for the standard library of the language you want to analyze.
-```bash
-codeql pack add codeql/javascript-all
-```
-
-**Understand QL Basics**
-QL is a declarative, logic programming language. A basic query follows this structure:
-```ql
-from /* ... variable declarations ... */
-where /* ... logical conditions ... */
-select /* ... expressions to output ... */
-```
-
-**Write and Refine Queries**
-- **Leverage Standard Libraries**: Use existing classes and predicates from the extensive CodeQL libraries to build upon.
-- **Use Debugging Tools**: If a query doesn't work as expected, techniques like creating a minimal code example, using Quick Evaluation in VS Code, viewing the AST, and generating partial path graphs are invaluable for diagnosing issues.
-- **Add Query Metadata**: Include a comment block with metadata like `@name`, `@description`, and `@kind` so the results are properly displayed in GitHub.
-
-### 🚀 Implement at Scale and Customize Further
-
-- **Scale Across an Organization**: For organizations needing advanced setup on many repositories, you can use a bulk configuration script to add the workflow across a group of repos efficiently.
-- **Extend Analysis with Model Packs**: For code that uses custom or niche frameworks not recognized by standard queries, you can specify published **CodeQL model packs** (currently in preview for C/C++, C#, Java/Kotlin, Python, Ruby, and Rust) to extend coverage.
-- **Specify a Custom Database Location**: While usually handled automatically, you can define where the CodeQL database is stored using the `db-location` parameter under the `init` action, which is useful for custom workflow steps.
-
-I hope this gives you a comprehensive roadmap for leveraging the advanced capabilities of CodeQL. Which aspect are you most interested in implementing first? If you're working with a specific programming language or framework, I might be able to offer more tailored guidance.
-# CodeQL Advanced Implementation Guide
-
-## 🚀 Advanced CodeQL Configuration
-
-### Multi-Language Enterprise Setup
-
-```yaml
-# .github/workflows/advanced-codeql.yml
-name: "Advanced CodeQL Analysis"
-
-on:
- push:
- branches: [ main, develop, release/* ]
- paths-ignore:
- - '**/*.md'
- - '**/*.docs'
- - '**/test/**'
- - '**/spec/**'
- pull_request:
- branches: [ main, develop ]
- paths:
- - 'src/**'
- - 'lib/**'
- - '**.java'
- - '**.js'
- - '**.ts'
- - '**.py'
- - '**.go'
- schedule:
- - cron: '0 2 * * 1' # Weekly on Monday at 2 AM UTC
- workflow_dispatch:
- inputs:
- severity:
- description: 'Minimum severity level'
- required: true
- default: 'error'
- type: choice
- options:
- - error
- - warning
- - note
-
-env:
- CODEQL_ACTION_DISABLE_SETUP: false
- CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: false
- CODEQL_POWERFUL_ANALYSIS: true
-
-jobs:
- analyze:
- name: Advanced CodeQL Analysis
- runs-on: ubuntu-latest
-
- strategy:
- fail-fast: false
- matrix:
- include:
- - language: java-kotlin
- build-mode: autobuild
- - language: javascript
- build-mode: none
- - language: python
- build-mode: none
- - language: go
- build-mode: autobuild
- - language: cpp
- build-mode: manual
-
- steps:
- - name: Checkout repository
- uses: actions/checkout@v4
- with:
- fetch-depth: 0 # Full history for better analysis
-
- - name: Initialize CodeQL
- uses: github/codeql-action/init@v3
- with:
- languages: ${{ matrix.language }}
- queries: +security-and-quality,security-extended
- config-file: ./.github/codeql/codeql-config.yml
- tools: latest
-
- - name: Autobuild (if needed)
- if: matrix.build-mode == 'autobuild'
- uses: github/codeql-action/autobuild@v3
-
- - name: Manual Build (C/C++)
- if: matrix.language == 'cpp' && matrix.build-mode == 'manual'
- run: |
- mkdir build && cd build
- cmake ..
- make -j4
-
- - name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v3
- with:
- category: "/language:${{ matrix.language }}"
- output: sarif-results
- upload-database: true
- skip-queries: ${{ github.event_name == 'schedule' && 'security' || '' }}
- env:
- CODEQL_ACTION_DISABLE_SETUP: false
-
- custom-queries:
- name: Custom Query Analysis
- runs-on: ubuntu-latest
- needs: analyze
-
- steps:
- - name: Checkout repository
- uses: actions/checkout@v4
-
- - name: Initialize CodeQL
- uses: github/codeql-action/init@v3
- with:
- languages: javascript, python
- queries: ./.github/codeql/custom-queries.qls
- packs: codeql/custom-queries
-
- - name: Run Custom Queries
- uses: github/codeql-action/analyze@v3
- with:
- category: "custom"
-
- security-dashboard:
- name: Security Dashboard Update
- runs-on: ubuntu-latest
- needs: [analyze, custom-queries]
- if: always()
-
- steps:
- - name: Upload Results to Security Dashboard
- uses: github/codeql-action/upload-sarif@v3
- with:
- sarif_file: sarif-results
- wait-for-processing: true
-
- - name: Generate Security Report
- run: |
- echo "## CodeQL Security Analysis Report" >> $GITHUB_STEP_SUMMARY
- echo "| Language | Critical | High | Medium | Low |" >> $GITHUB_STEP_SUMMARY
- echo "|----------|----------|------|--------|-----|" >> $GITHUB_STEP_SUMMARY
- echo "| Complete | - | - | - | - |" >> $GITHUB_STEP_SUMMARY
-```
-
-## 🔧 Advanced Configuration Files
-
-### CodeQL Configuration
-```yaml
-# .github/codeql/codeql-config.yml
-name: "Advanced CodeQL Configuration"
-
-query-filters:
-- exclude:
- id: java/example/too-many-loops
-- include:
- tags:
- - security
- - external/cwe/cwe-798
- - external/cwe/cwe-259
-
-paths:
-- src
-- lib
-- app
-
-paths-ignore:
-- test
-- spec
-- node_modules
-- vendor
-- build
-- dist
-
-languages:
- java:
- build-command:
- - mvn compile -DskipTests
- - gradle build -x test
-
- javascript:
- build-command: npm run build
-
- python:
- build-command: python -m py_compile **/*.py
-
-queries:
- uses: ./.github/codeql/query-suites.yml
-
-packs:
-- codeql/java-queries
-- codeql/javascript-queries
-- codeql/python-queries
-- organization/custom-security-queries
-
-database:
- location: ./.codeql/databases
- cleanup: true
-```
-
-### Custom Query Suites
-```yql
-# .github/codeql/query-suites.qls
-- description: "Custom Security Queries"
-- queries: .
- from: custom-security-queries.qls
-- include:
- tags:
- - security
- - external/cwe/cwe-89
- - external/cwe/cwe-78
- - external/cwe/cwe-79
-- exclude:
- precision: very-low
-```
-
-## 🛠️ Custom Query Development
-
-### Advanced QL Query Structure
-```ql
-// .github/codeql/custom-queries/SQLInjection.ql
-/**
- * @name Potential SQL Injection
- * @description Detects potential SQL injection vulnerabilities in Java code
- * @kind path-problem
- * @problem.severity error
- * @precision high
- * @id java/sql-injection
- * @tags security
- * external/cwe/cwe-89
- */
-
-import java
-import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.dataflow.TaintTracking
-import DataFlow::PathGraph
-
-class SqlInjectionConfig extends TaintTracking::Configuration {
- SqlInjectionConfig() { this = "SqlInjectionConfig" }
-
- override predicate isSource(DataFlow::Node source) {
- exists(MethodAccess ma |
- ma.getMethod().hasName("getParameter") and
- source.asExpr() = ma
- )
- }
-
- override predicate isSink(DataFlow::Node sink) {
- exists(MethodAccess ma |
- ma.getMethod().hasName("executeQuery") and
- sink.asExpr() = ma.getArgument(0)
- )
- }
-
- override predicate isSanitizer(DataFlow::Node sanitizer) {
- exists(MethodAccess ma |
- ma.getMethod().hasName("escapeSql") and
- sanitizer.asExpr() = ma
- )
- }
-}
-
-from SqlInjectionConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Potential SQL injection vulnerability"
-```
-
-### Complex Data Flow Analysis
-```ql
-// .github/codeql/custom-queries/AdvancedTaintTracking.ql
-import java
-import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.dataflow.TaintTracking
-
-class UserInputSource extends DataFlow::ExprNode {
- UserInputSource() {
- exists(Method m |
- m.hasName("getParameter") or
- m.hasName("getHeader") or
- m.hasName("getCookie") or
- m.hasName("getAttribute")
- |
- this.asExpr() = m.getACall()
- )
- }
-}
-
-class DangerousSink extends DataFlow::ExprNode {
- DangerousSink() {
- // File operations
- exists(Method m | m.hasName("write") | this.asExpr() = m.getACall()) or
- // Database operations
- exists(Method m | m.hasName("execute") | this.asExpr() = m.getACall()) or
- // Command execution
- exists(Method m | m.hasName("exec") | this.asExpr() = m.getACall())
- }
-}
-
-class SanitizerMethod extends DataFlow::ExprNode {
- SanitizerMethod() {
- exists(Method m |
- m.hasName("validateInput") or
- m.hasName("sanitize") or
- m.hasName("escapeHtml")
- |
- this.asExpr() = m.getACall()
- )
- }
-}
-
-from UserInputSource source, DangerousSink sink
-where DataFlow::localFlow(source, sink)
-select sink, "User input flows to dangerous sink without sanitization"
-```
-
-## 🔍 Advanced Query Patterns
-
-### Performance Optimization Queries
-```ql
-// .github/codeql/custom-queries/PerformanceIssues.ql
-import java
-import semmle.code.java.dataflow.DataFlow
-
-class ExpensiveOperationInLoop extends DataFlow::Configuration {
- ExpensiveOperationInLoop() { this = "ExpensiveOperationInLoop" }
-
- override predicate isSource(DataFlow::Node source) {
- exists(Method m |
- m.hasName("compile") or
- m.hasName("createConnection") or
- m.hasName("parseXML")
- |
- source.asExpr() = m.getACall()
- )
- }
-
- override predicate isSink(DataFlow::Node sink) {
- exists(LoopStmt loop | sink.asExpr() = loop.getCondition())
- }
-}
-
-from ExpensiveOperationInLoop config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Expensive operation inside loop may cause performance issues"
-```
-
-### Security Configuration Queries
-```ql
-// .github/codeql/custom-queries/SecurityMisconfiguration.ql
-import java
-
-class InsecureConfiguration extends RefType {
- InsecureConfiguration() {
- this.hasQualifiedName("org.springframework.security.config.annotation.web", "WebSecurityConfigurerAdapter")
- }
-}
-
-from InsecureConfiguration config, Method m
-where
- m.getDeclaringType() = config and
- m.overridesOrInstantiates*(m.getDeclaringType().getAMethod()) and
- not exists(MethodAccess ma |
- ma.getMethod().hasName("csrf") and
- ma.getAnArgument().toString().matches("%disable%")
- )
-select m, "Security configuration might be missing CSRF protection"
-```
-
-## 📊 Advanced Analysis Pipeline
-
-### Multi-Stage Analysis Workflow
-```yaml
-# .github/workflows/codeql-pipeline.yml
-name: "CodeQL Security Pipeline"
-
-on:
- push:
- branches: [ main ]
- schedule:
- - cron: '0 0 * * 0' # Weekly
-
-jobs:
- code-scanning:
- name: Code Scanning
- uses: ./.github/workflows/codeql-advanced.yml
- secrets: inherit
-
- dependency-scanning:
- name: Dependency Vulnerability Scan
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
- - name: Run OWASP Dependency Check
- uses: dependency-check/Dependency-Check_Action@main
- with:
- project: 'my-project'
- path: '.'
- format: 'HTML'
- out: 'reports'
-
- container-scanning:
- name: Container Image Scanning
- runs-on: ubuntu-latest
- steps:
- - name: Run Trivy Vulnerability Scanner
- uses: aquasecurity/trivy-action@master
- with:
- scan-type: 'fs'
- scan-ref: '.'
- format: 'sarif'
- output: 'trivy-results.sarif'
-
- security-report:
- name: Generate Security Report
- runs-on: ubuntu-latest
- needs: [code-scanning, dependency-scanning, container-scanning]
- steps:
- - name: Aggregate Results
- run: |
- python .github/scripts/aggregate-security-report.py
- - name: Upload Security Report
- uses: actions/upload-artifact@v4
- with:
- name: security-report
- path: security-report.html
-```
-
-## 🔒 Advanced Security Queries
-
-### Authentication & Authorization
-```ql
-// .github/codeql/custom-queries/AuthBypass.ql
-import java
-
-class AuthenticationBypass extends Method {
- AuthenticationBypass() {
- this.getAnAnnotation().getType().hasQualifiedName("org.springframework.web.bind.annotation", "RequestMapping") and
- not exists(MethodAccess ma |
- ma.getMethod().hasName("isAuthenticated") or
- ma.getMethod().hasName("hasRole")
- )
- }
-}
-
-from AuthenticationBypass method
-select method, "Endpoint might be missing authentication check"
-```
-
-### Cryptography Issues
-```ql
-// .github/codeql/custom-queries/WeakCrypto.ql
-import java
-
-class WeakCryptoAlgorithm extends MethodAccess {
- WeakCryptoAlgorithm() {
- this.getMethod().hasName("getInstance") and
- (
- this.getArgument(0).toString().matches("%DES%") or
- this.getArgument(0).toString().matches("%RC4%") or
- this.getArgument(0).toString().matches("%MD5%")
- )
- }
-}
-
-from WeakCryptoAlgorithm crypto
-select crypto, "Use of weak cryptographic algorithm detected"
-```
-
-## 📈 Performance Optimization
-
-### Query Performance Configuration
-```yaml
-# .github/codeql/performance-config.yml
-optimization:
- max-paths: 1000
- timeout: 300
- memory: 8192
-
-analysis:
- mode: deep
- threads: 4
-
-caching:
- enabled: true
- location: ./.codeql/cache
- cleanup-age: 30d
-
-logging:
- level: INFO
- queries: true
- performance: true
-```
-
-### Custom Performance Queries
-```ql
-// .github/codeql/custom-queries/MemoryLeaks.ql
-import java
-
-class PotentialMemoryLeak extends Method {
- PotentialMemoryLeak() {
- this.getName().matches("create%") and
- not exists(Method destructor |
- destructor.getName().matches("destroy%") or
- destructor.getName().matches("close%") and
- destructor.getDeclaringType() = this.getDeclaringType()
- )
- }
-}
-
-from PotentialMemoryLeak method
-select method, "Potential memory leak: creation method without corresponding cleanup method"
-```
-
-## 🎯 Advanced Integration
-
-### CI/CD Pipeline Integration
-```yaml
-# .github/workflows/security-gates.yml
-name: "Security Quality Gates"
-
-on:
- pull_request:
- branches: [ main ]
-
-jobs:
- security-gate:
- name: Security Quality Gate
- runs-on: ubuntu-latest
- steps:
- - name: Run CodeQL Analysis
- uses: github/codeql-action/analyze@v3
- with:
- output: sarif-results
-
- - name: Check Security Thresholds
- run: |
- python .github/scripts/check-security-gates.py
-
- - name: Fail on Critical Issues
- if: steps.security-check.outputs.critical_issues > 0
- run: |
- echo "❌ Critical security issues found. Blocking merge."
- exit 1
-```
-
-### Custom Scripts for Analysis
-```python
-# .github/scripts/aggregate-security-report.py
-#!/usr/bin/env python3
-import json
-import sys
-from pathlib import Path
-
-def load_sarif_results(file_path):
- with open(file_path, 'r') as f:
- return json.load(f)
-
-def analyze_severity_distribution(results):
- severity_count = {
- 'error': 0,
- 'warning': 0,
- 'note': 0
- }
-
- for run in results.get('runs', []):
- for result in run.get('results', []):
- level = result.get('level', 'warning')
- severity_count[level] += 1
-
- return severity_count
-
-def generate_report(severity_distribution):
- report = f"""
-# Security Analysis Report
-## Summary
-- Critical Issues: {severity_distribution['error']}
-- Warnings: {severity_distribution['warning']}
-- Recommendations: {severity_distribution['note']}
-
-## Quality Gates
-{'❌ FAIL' if severity_distribution['error'] > 0 else '✅ PASS'} - No Critical Issues
-{'⚠️ WARN' if severity_distribution['warning'] > 10 else '✅ PASS'} - Warning Threshold
-"""
- return report
-
-if __name__ == "__main__":
- results_dir = Path("sarif-results")
- all_results = []
-
- for sarif_file in results_dir.glob("*.sarif"):
- all_results.extend(load_sarif_results(sarif_file))
-
- severity = analyze_severity_distribution(all_results)
- report = generate_report(severity)
-
- with open("security-report.md", "w") as f:
- f.write(report)
-
- print("Security report generated successfully")
-```
-
-This advanced CodeQL implementation provides:
-
-## 🚀 Key Features
-
-1. **Multi-Language Support** - Java, JavaScript, Python, Go, C++
-2. **Custom Query Development** - Advanced security and performance queries
-3. **Performance Optimization** - Caching, parallel execution, resource management
-4. **Security Quality Gates** - Automated security thresholds and blocking
-5. **Comprehensive Reporting** - Aggregated security dashboards
-6. **Enterprise Integration** - CI/CD pipeline integration with quality gates
-
-## 💡 Advanced Use Cases
-
-- **Custom Security Rules** - Organization-specific security requirements
-- **Performance Analysis** - Code performance and memory leak detection
-- **Architecture Validation** - Code structure and design pattern validation
-- **Compliance Checking** - Regulatory and compliance requirements
-- **Dependency Analysis** - Third-party library security assessment
-
-This setup enables enterprise-grade code security analysis with custom rules, performance optimization, and comprehensive reporting!
diff --git a/Development b/Development
new file mode 100644
index 000000000000..408510725d41
--- /dev/null
+++ b/Development
@@ -0,0 +1,115 @@
+Great! Let's explore how to integrate SLSA3 principles into your **development workflow**—from coding to merging—so that security is baked in from the start. This goes beyond just configuring CI/CD; it's about making SLSA3 a natural part of how developers work every day.
+
+## 🔄 Development Workflow with SLSA3 in Mind
+
+### 1. **Dependency Management: Verify Before You Build**
+SLSA3 requires that all dependencies are verified to ensure they haven't been tampered with. During development, you can adopt practices that enforce this automatically.
+
+- **Use `go mod verify` (Go)** or `pip hash` (Python) to check downloaded modules.
+- **Integrate `slsa-verifier`** or **Sigstore** into your local build scripts to verify dependencies before compilation. For example, you could run:
+ ```bash
+ slsa-verifier verify-artifact \
+ --provenance-path "path/to/provenance.json" \
+ --source-uri "github.com/your-org/dependency" \
+ --builder-id "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v2.1.0" \
+ dependency.bin
+ ```
+
+- **Automate in pre-commit hooks**: Use tools like `pre-commit` to run dependency checks before each commit, ensuring no untrusted code sneaks in.
+
+### 2. **Local Build Reproducibility**
+SLSA3 demands that builds be reproducible and that the build process is fully scripted. As a developer, you can:
+
+- **Containerize your development environment** (e.g., using Dev Containers or Docker) to match the CI environment exactly. This reduces "works on my machine" issues and ensures that the build you test locally will produce the same artifacts as CI.
+
+- **Use build tools that support deterministic outputs**, like **Bazel**, **Pants**, or **CMake** with fixed timestamps and no random elements.
+
+- **Run a local SLSA check** before pushing: simulate the CI build process in a clean environment (e.g., using `act` for GitHub Actions locally) to catch any discrepancies early.
+
+### 3. **Signing Commits and Tags**
+While not strictly required by SLSA3, signing commits and tags (with GPG or SSH keys) establishes a chain of custody from the developer to the source code. This helps meet the **source integrity** expectations of SLSA3.
+
+```bash
+git commit -S -m "feat: add secure feature"
+git tag -s v1.2.3 -m "Release v1.2.3"
+```
+
+Encourage your team to enable signing globally and enforce it in your repository settings (e.g., GitHub's "Require signed commits" branch protection).
+
+### 4. **Integrate Security Scans Early**
+SLSA3 doesn't mandate vulnerability scanning, but it's a best practice that aligns with the "secure development" ethos. Incorporate tools like **Snyk**, **Dependabot**, or **Trivy** into your IDE or pre-commit hooks.
+
+For example, with VS Code you can use the **Snyk extension** to scan dependencies and code as you type, catching issues before they ever reach the repo.
+
+### 5. **Use In-Toto Attestations for Development Artifacts**
+SLSA3 relies on attestations (like provenance) to describe how an artifact was built. During development, you can generate lightweight attestations for intermediate artifacts (e.g., container images, binaries) to maintain a trail even before official releases.
+
+- **Tool**: [**in-toto**](https://in-toto.io/) provides a framework to create and verify attestations.
+- **Example**: After a local build, run:
+ ```bash
+ in-toto-run --step-name local-build --products myapp --key mykey --
+ ```
+
+This creates a link file that can be stored alongside the artifact, useful for debugging or for internal audits.
+
+### 6. **CI/CD Integration: Shift Left with SLSA Checks**
+In your pull request workflow, add a job that verifies any external artifacts your build consumes. For instance, if you download a third‑party binary, verify its provenance before using it:
+
+```yaml
+- name: Verify dependency provenance
+ run: |
+ slsa-verifier verify-artifact \
+ --provenance-path dependency.intoto.jsonl \
+ --source-uri github.com/trusted-org/dependency \
+ --builder-id trusted-builder-id \
+ dependency.bin
+```
+
+This prevents accidentally incorporating compromised dependencies into your product.
+
+### 7. **Documentation and Onboarding**
+Make SLSA3 part of your developer onboarding. Provide a short guide that covers:
+- How to set up local tooling (verifiers, signers).
+- How to interpret and verify provenance.
+- How to run security scans locally.
+- How to handle dependencies safely.
+
+## 🛠️ Practical Example: A Developer's Daily Routine
+
+Here’s what a typical day might look like with SLSA3 integrated:
+
+1. **Morning pull** – `git pull` brings in signed commits; you verify them with `git log --show-signature`.
+2. **Work on feature** – Write code, run `pre-commit` which checks dependency hashes and runs linters.
+3. **Local build** – Use a containerized environment (e.g., `docker run --rm -v $(pwd):/workspace build-env ./build.sh`). The build script also generates an in-toto link for the binary.
+4. **Test** – Run `ctest` inside the container; all tests pass.
+5. **Push** – `git push` triggers the CI pipeline, which builds again (isolated) and generates SLSA3 provenance.
+6. **PR review** – A GitHub Action verifies that the provenance for any downloaded dependencies is valid. The reviewer sees a green checkmark indicating "provenance verified".
+7. **Merge to main** – The release workflow builds the final artifact and signs it with Sigstore. The provenance is attached to the GitHub release.
+
+## 📚 Resources for Developers
+
+- **Sigstore Client (`cosign`)**: Sign and verify container images and blobs.
+- **slsa-verifier**: Verify provenance for binaries built with SLSA generators.
+- **GitHub CLI `gh attestation`**: Verify attestations directly from GitHub.
+- **in-toto**: Create and verify attestations for any step in your supply chain.
+- **Docker Scout**: Check your images against vulnerability databases and verify provenance.
+
+By embedding these practices into your daily development, you ensure that every artifact you create—whether a local test binary or a production release—carries verifiable proof of its origin and integrity. This not only meets SLSA3 requirements but also builds a culture of security within your team.
+
+Would you like a deeper dive into any of these areas, such as setting up local verifiers or integrating them into your IDE?Great! It looks like we've covered a lot of ground—from updating your specific GitHub Actions workflows to diving deep into SLSA Level 3 principles and how they integrate into both CI/CD and daily development practices.
+
+To recap, you now have:
+- ✅ Updated `generator-generic-ossf-slsa3-publish.yml` and `cmake-single-platform.yml` with SLSA3‑compliant configurations.
+- ✅ A clear understanding of how different platforms (GitHub, GitLab, Google, etc.) implement SLSA3.
+- ✅ A step‑by‑step guide to structuring your GitHub workflows for non‑forgeable provenance.
+- ✅ Practical advice on weaving SLSA3 into your development workflow—dependency verification, local reproducibility, commit signing, and more.
+
+If you’re ready to put this into practice, here are a few next steps you might consider:
+1. **Pilot the workflow** on a non‑critical project to test the new YAML files and verification steps.
+2. **Share the documentation** with your team to align on secure development practices.
+3. **Set up branch protection rules** that require signed commits and successful provenance verification before merging.
+4. **Explore automation** for dependency verification (e.g., using `slsa-verifier` in CI) to catch issues early.
+
+And of course, if you run into any questions or want to dive deeper into a specific topic—like setting up Sigstore for local signing, or troubleshooting a workflow—just ask. I’m here to help!
+
+Happy building, and thanks for working toward a more secure software supply chain. 🚀
diff --git a/License Agreement (CLA). b/License Agreement (CLA).
new file mode 100644
index 000000000000..94c34b864765
--- /dev/null
+++ b/License Agreement (CLA).
@@ -0,0 +1,112 @@
+To complete the data for **Muhamad Sazwan bin Ismail** in the context of a Contributor License Agreement (CLA) system, you’ll likely need to store his information in different types of databases. Below are examples of how you might insert his record into **SQL**, **NoSQL**, and a dedicated **CLA records** structure.
+
+---
+
+## 1. SQL Database (e.g., PostgreSQL, MySQL)
+
+Assume a table `contributors` with relevant columns.
+A typical `INSERT` statement would look like:
+
+```sql
+INSERT INTO contributors (
+ full_name,
+ email,
+ github_username,
+ cla_signed,
+ signed_at,
+ ip_address
+) VALUES (
+ 'Muhamad Sazwan bin Ismail',
+ 'muhamad.sazwan@example.com',
+ 'msazwan',
+ TRUE,
+ NOW(),
+ '192.168.1.100'
+);
+```
+
+If you have a separate `cla_signatures` table (for tracking multiple versions), you might do:
+
+```sql
+INSERT INTO cla_signatures (
+ contributor_id,
+ cla_version,
+ signed_at,
+ agreement_text
+) VALUES (
+ (SELECT id FROM contributors WHERE email = 'muhamad.sazwan@example.com'),
+ 'v2.1',
+ NOW(),
+ 'I have read and agree to the CLA...'
+);
+```
+
+---
+
+## 2. NoSQL Database (e.g., MongoDB)
+
+A document for the same contributor in MongoDB could look like this:
+
+```json
+{
+ "_id": ObjectId("..."),
+ "name": "Muhamad Sazwan bin Ismail",
+ "email": "muhamad.sazwan@example.com",
+ "github": "msazwan",
+ "cla": {
+ "signed": true,
+ "version": "v2.1",
+ "signed_at": ISODate("2025-03-17T04:20:00Z"),
+ "ip": "192.168.1.100"
+ }
+}
+```
+
+Insert using:
+
+```javascript
+db.contributors.insertOne({
+ name: "Muhamad Sazwan bin Ismail",
+ email: "muhamad.sazwan@example.com",
+ github: "msazwan",
+ cla: {
+ signed: true,
+ version: "v2.1",
+ signed_at: new Date(),
+ ip: "192.168.1.100"
+ }
+});
+```
+
+---
+
+## 3. CLA Records (as a separate system or table)
+
+If you maintain a separate **CLA signing log** (e.g., for auditing), you might store records in either SQL or NoSQL. A simple CSV-like record could be:
+
+```
+Full Name, Email, CLA Version, Signed Date, IP Address
+Muhamad Sazwan bin Ismail, muhamad.sazwan@example.com, v2.1, 2025-03-17 12:20:00, 192.168.1.100
+```
+
+Or as a JSON entry in a `cla_logs` collection:
+
+```json
+{
+ "contributor": "Muhamad Sazwan bin Ismail",
+ "email": "muhamad.sazwan@example.com",
+ "cla_version": "v2.1",
+ "signed_at": "2025-03-17T04:20:00Z",
+ "ip_address": "192.168.1.100"
+}
+```
+
+---
+
+## Additional Notes
+
+- Replace `email` and `github_username` with actual data if available.
+- In production, you’d likely store a hash of the signed agreement or a reference to the PDF.
+- Ensure you comply with data privacy regulations (e.g., GDPR) when storing personal information.
+
+If you need help adapting these examples to your specific database schema or have further requirements, feel free to ask!