Skip to content

Proposal: Add CodeQL security analysis to CI pipeline #948

Description

@shivv23

Motivation

SeedSigner currently has no automated security analysis in CI. Recent security fixes (#897: shell injection via \os.popen(), #898: shell injection + temp file leak in \qrimage_io()) were caught during manual review. CodeQL can detect these classes of issues automatically on every commit and PR.

Proposal

Add a CodeQL workflow that runs on push/PR to dev, weekly, and via \workflow_dispatch, analyzing Python code with the default security query suite and a path-exclusion config for tests/tools/l10n.

What CodeQL catches for Python

Prior verification

Feedback welcome.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions