Sph.2026 07 11.01#76
Merged
Merged
Conversation
…ntent and improving 404 handling`
- Introduced comprehensive tests for `GitHubClient` to validate API origin enforcement and token security. - Expanded `CleanupPathGuard` functionality with safe quarantine handling, isolated directory decisions, and secure mutation verification. - Added several helper methods to improve directory traversal reliability and secure file operations.
Contributor
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request refactors and enhances the CodeQL security scanning configuration for the repository. It consolidates to a single advanced, version-controlled CodeQL workflow that covers all supported languages, introduces a more precise threat model for Python, and improves the maintainability and accuracy of custom sanitizer models. Documentation is updated to guide repository admins through setup, migration, and verification. Unused or redundant files are removed, and all workflow actions are pinned to specific commit SHAs for security.
CodeQL Workflow and Configuration Modernization
.github/workflows/codeql.ymlworkflow is now the sole, authoritative CodeQL configuration. It runs on pushes, pull requests, a weekly schedule, and manual dispatch, covering Actions, C#, JavaScript/TypeScript, and Python, each with appropriate build and threat models. All actions are pinned to full commit SHAs for security..github/codeql/codeql-config.ymland the new.github/codeql/codeql-python-config.ymldefine precise path exclusions and threat models: default-remote for C#/JS/TS/Actions, local for Python scripts, with clear documentation and no repository-wide rule exclusions for C#. [1] [2]Custom CodeQL Models and Extensions
LogSanitizerandConfigurationLogRedactoris now defined as a CodeQL pack in.github/codeql/extensions/log-sanitizer, using the correctbarrierModelextensible and a pack manifest for discoverability by both advanced and default setups. [1] [2] [3]Documentation and Migration Guidance
.github/CODEQL-WORKFLOW.mdis rewritten to document the new workflow, explain the rationale for the split threat model, provide migration and verification steps, and clarify how to handle stale configurations and findings.Cleanup
.github/docker/Dockerfile.container-scanis deleted, reflecting the removal of an obsolete or redundant container scanning setup.Security and Maintenance
These changes ensure accurate, maintainable, and secure CodeQL analysis for all supported languages, with clear documentation and a robust migration path.