Motivation
SeedSigner currently has no automated security analysis in CI. Recent security fixes (#897: shell injection via \os.popen(), #898: shell injection + temp file leak in \qrimage_io()) were caught during manual review. CodeQL can detect these classes of issues automatically on every commit and PR.
Proposal
Add a CodeQL workflow that runs on push/PR to dev, weekly, and via \workflow_dispatch, analyzing Python code with the default security query suite and a path-exclusion config for tests/tools/l10n.
What CodeQL catches for Python
Prior verification
Feedback welcome.
Motivation
SeedSigner currently has no automated security analysis in CI. Recent security fixes (#897: shell injection via \os.popen(), #898: shell injection + temp file leak in \qrimage_io()) were caught during manual review. CodeQL can detect these classes of issues automatically on every commit and PR.
Proposal
Add a CodeQL workflow that runs on push/PR to dev, weekly, and via \workflow_dispatch, analyzing Python code with the default security query suite and a path-exclusion config for tests/tools/l10n.
What CodeQL catches for Python
os.popen()with Python's inbuilt file handling #897, [Security] Fix shell injection and temp file leak in qrimage_io #898Prior verification
Feedback welcome.