chore: add CodeQL security scanning workflow#3
Conversation
Adds CodeQL JS/TS analysis on push to main and PRs. Required by repo ruleset.
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions workflow to run CodeQL analysis for the repository’s JavaScript/TypeScript code, aligning with the repo ruleset requirement for security scanning.
Changes:
- Introduces a new
CodeQLGitHub Actions workflow triggered on pushes and PRs tomain. - Configures CodeQL to run the
security-and-qualityquery suite forjavascript-typescript.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| timeout-minutes: 10 | ||
| permissions: | ||
| security-events: write | ||
| contents: read |
There was a problem hiding this comment.
The job permissions are missing actions: read, which the GitHub CodeQL workflow template includes and which can be required in repos/orgs that set the default GITHUB_TOKEN permissions to “read repository contents only”. Add actions: read to the job (or workflow) permissions to avoid CodeQL failures in locked-down environments.
| contents: read | |
| contents: read | |
| actions: read |
| with: | ||
| languages: javascript-typescript | ||
| queries: security-and-quality | ||
|
|
There was a problem hiding this comment.
For TypeScript repositories, CodeQL JS/TS analysis is typically more accurate when dependencies are installed and the project is built (so the extractor can resolve types/config). Consider adding steps between init and analyze to run npm ci (and npm run build if needed) so the scan reflects the actual compiled/typed code.
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 'lts/*' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Build (if applicable) | |
| run: npm run build --if-present |
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@v3 | ||
| with: | ||
| languages: javascript-typescript | ||
| queries: security-and-quality | ||
|
|
||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@v3 |
There was a problem hiding this comment.
These steps reference third-party actions by mutable tags (e.g., @v4, @v3). If this repo aims for stronger supply-chain guarantees, pin actions to a full commit SHA (optionally keeping the major tag in a comment) to reduce the risk of a compromised upstream release.
| - uses: actions/checkout@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: javascript-typescript | |
| queries: security-and-quality | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@6db8d2e1e5de55e90d24df76ebe7d7318f637bee # v3 | |
| with: | |
| languages: javascript-typescript | |
| queries: security-and-quality | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@6db8d2e1e5de55e90d24df76ebe7d7318f637bee # v3 |
Adds CodeQL JS/TS analysis. Required by repo ruleset.