Skip to content

CI: Resolve CodeQL concerns#160

Merged
derobins merged 3 commits into
ROCm:developfrom
riley-dixon:rildixon/ci-resolve-codeql-concerns
Jan 20, 2026
Merged

CI: Resolve CodeQL concerns#160
derobins merged 3 commits into
ROCm:developfrom
riley-dixon:rildixon/ci-resolve-codeql-concerns

Conversation

@riley-dixon

@riley-dixon riley-dixon commented Jan 19, 2026

Copy link
Copy Markdown
Collaborator

This resolves some CodeQL signals that could be considered false positives since our CI variables are not provided by external workflows. There concerns in particular are regarding potential shell injection should our callable workflows ever take in input from an external user. It recommends storing inputs in the environment rather than referencing them directly within a Bash step. We also encapsulate these instances within quotes to further try to prevent injections via substitutions.

AIHIPFILE-97

@riley-dixon riley-dixon self-assigned this Jan 19, 2026
@riley-dixon
riley-dixon force-pushed the rildixon/ci-resolve-codeql-concerns branch from f84a91b to 724f0ea Compare January 19, 2026 22:15
@riley-dixon riley-dixon changed the title Rildixon/ci resolve codeql concerns CI: Resolve CodeQL concerns Jan 19, 2026
CodeQL highlights using Input and Matrix variables directly as being
a potential vulnerability for shell injection. Most of these could however
be considered a false positives since our callable workflows all call into
each other, none of which accepting external user input. To make it happy
however, we will redirect these variables into the environment where they
will not be re-interpreted by Bash when substituted into a shell cmd.
@riley-dixon
riley-dixon force-pushed the rildixon/ci-resolve-codeql-concerns branch from 724f0ea to 98ff89f Compare January 19, 2026 22:44
@riley-dixon riley-dixon mentioned this pull request Jan 19, 2026
@riley-dixon

Copy link
Copy Markdown
Collaborator Author

PR#162 was used to test that there was no adverse change made to the build_ais_ci_image workflow.

Workflow run: https://github.com/ROCm/hipFile/actions/runs/21154308647?pr=160

@riley-dixon
riley-dixon force-pushed the rildixon/ci-resolve-codeql-concerns branch from b148808 to 98ff89f Compare January 19, 2026 23:47
@riley-dixon
riley-dixon marked this pull request as ready for review January 19, 2026 23:53
Further try to harden against shell injection by wrapping use
of AIS variables in double-quotes.
@riley-dixon
riley-dixon force-pushed the rildixon/ci-resolve-codeql-concerns branch from 98ff89f to cd83220 Compare January 20, 2026 17:28
@derobins
derobins merged commit 5a21d72 into ROCm:develop Jan 20, 2026
28 checks passed
@riley-dixon
riley-dixon deleted the rildixon/ci-resolve-codeql-concerns branch January 20, 2026 18:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants