Skip to content

Add CodeQL analysis workflow configuration#321

Open
msslulu wants to merge 2 commits into
developfrom
codeql
Open

Add CodeQL analysis workflow configuration#321
msslulu wants to merge 2 commits into
developfrom
codeql

Conversation

@msslulu

@msslulu msslulu commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

This workflow file configures CodeQL analysis for the repository, specifying triggers, jobs, and steps for analyzing various programming languages.

English | 简体中文

PR

PR Checklist

Please check if your PR fulfills the following requirements:

  • The commit message follows our Commit Message Guidelines
  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been added / updated (for bug fixes / features)
  • Built its own designer, fully self-validated

PR Type

What kind of change does this PR introduce?

  • Bugfix
  • Feature
  • Code style update (formatting, local variables)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • CI related changes
  • Documentation content changes
  • Other... Please describe:

Background and solution

What is the current behavior?

Issue Number: N/A

What is the new behavior?

Does this PR introduce a breaking change?

  • Yes
  • No

Other information

Summary by CodeRabbit

  • New Features
    • Added automated CodeQL security analysis (Advanced) for pushes to develop, pull requests, and weekly scheduled runs, including multi-language support and Swift-specific runner selection.
    • Updated CodeQL configuration to ignore common build, test, and generated-source directories, and added explicit CodeQL config usage.
  • Tests
    • Added a new test controller with intentionally vulnerable HTTP endpoints to exercise common security patterns during scanning.

This workflow file configures CodeQL analysis for the repository, specifying triggers, jobs, and steps for analyzing various programming languages.
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

A CodeQL Advanced GitHub Actions workflow is added with push, pull request, and scheduled triggers, plus analysis initialization and execution. A CodeQL config file excludes selected paths, and a Spring controller adds endpoints with insecure patterns for scanning.

Changes

CodeQL analysis pipeline

Layer / File(s) Summary
Triggers and job setup
.github/workflows/codeql.yml
Defines the workflow name, push/pull_request/schedule triggers, analyze job, runner selection, and job-level permissions.
Matrix and CodeQL steps
.github/workflows/codeql.yml, .github/workflows/codeql-config.yml
Sets the language/build-mode matrix, checks out the repo, initializes CodeQL with the config file, adds the manual-build placeholder, runs analysis, and ignores target, test, and generated source paths.

Vulnerable analysis fixture

Layer / File(s) Summary
Vulnerable test controller
base/src/main/java/com/tinyengine/it/test/VulnerableTest.java
Adds REST endpoints and a credential method that use request input in SQL, command, URL, and file-path operations.
Estimated code review effort: 3 (Moderate) ~20 minutes

Poem

A rabbit hops through YAML fields so neat,
CodeQL now scans with nimble feet,
Push or pull, or a weekly chime,
Vulnerable trails get caught in time. 🐇
Hop, hop, hooray for secure code today!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding CodeQL analysis workflow configuration.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codeql

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/codeql.yml (1)

59-60: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Harden checkout step: disable credential persistence.

actions/checkout@v4 persists the GitHub token in the local git config by default, which any later step (or injected build command via matrix.build-mode == 'manual') could read. Setting persist-credentials: false avoids this exposure since the job doesn't need to push back to the repo.

🔒 Suggested fix
     - name: Checkout repository
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql.yml around lines 59 - 60, The checkout step in the
code scanning workflow is persisting the GitHub token by default, which exposes
credentials to later steps and any manual build command. Update the
actions/checkout@v4 usage in the workflow’s checkout step to disable credential
persistence by setting persist-credentials to false, since this job does not
need to push changes back.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/codeql.yml:
- Around line 59-60: The checkout step in the code scanning workflow is
persisting the GitHub token by default, which exposes credentials to later steps
and any manual build command. Update the actions/checkout@v4 usage in the
workflow’s checkout step to disable credential persistence by setting
persist-credentials to false, since this job does not need to push changes back.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 553375ab-59a3-4cc3-9434-06ef7faef4c5

📥 Commits

Reviewing files that changed from the base of the PR and between 0045f62 and c8846d9.

📒 Files selected for processing (1)
  • .github/workflows/codeql.yml

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/codeql-config.yml:
- Around line 1-4: The CodeQL config is currently being picked up as a GitHub
Actions workflow because it lives under .github/workflows/, so move this
paths-ignore-only config to a non-workflow location such as
.github/codeql/codeql-config.yml and update the config-file reference in
codeql.yml to point to the new path; use the existing CodeQL config file and
codeql.yml workflow as the symbols to locate and adjust.

In `@base/src/main/java/com/tinyengine/it/test/VulnerableTest.java`:
- Around line 16-88: The VulnerableTest fixture is currently a live
`@RestController` under the production source set, so its endpoints are being
deployed and mapped as real routes. Move VulnerableTest out of the deployable
application path or remove the `@RestController/`@GetMapping annotations so no
endpoints are registered; alternatively gate it behind a non-production profile.
Keep the CodeQL fixture in a location that remains scanned but is excluded from
the runtime artifact, using the VulnerableTest class and its /sql-injection,
/command-injection, /ssrf, and /file-read handlers as the symbols to update.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1d917713-023f-4621-a595-70b0c69f8c0a

📥 Commits

Reviewing files that changed from the base of the PR and between c8846d9 and 1d81338.

📒 Files selected for processing (3)
  • .github/workflows/codeql-config.yml
  • .github/workflows/codeql.yml
  • base/src/main/java/com/tinyengine/it/test/VulnerableTest.java
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/codeql.yml

Comment on lines +1 to +4
paths-ignore:
- '**/target/' # Maven 编译输出
- '**/src/test/' # 单元测试代码(测试断言常被误报)
- '**/generated-sources/' # 自动生成的代码(如 MapStruct、QueryDSL) No newline at end of file

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Relocate this CodeQL config out of .github/workflows/.

GitHub Actions treats every *.yml in .github/workflows/ as a workflow, so this file will be parsed as one and flagged as invalid (no on/jobs) — this is the root cause of the actionlint errors, not a false positive. Move it to a non-workflow path such as .github/codeql/codeql-config.yml and update the config-file reference in codeql.yml accordingly.

🧰 Tools
🪛 actionlint (1.7.12)

[error] 1-1: "jobs" section is missing in workflow

(syntax-check)


[error] 1-1: "on" section is missing in workflow

(syntax-check)


[error] 1-1: unexpected key "paths-ignore" for "workflow" section. expected one of "concurrency", "defaults", "env", "jobs", "name", "on", "permissions", "run-name"

(syntax-check)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql-config.yml around lines 1 - 4, The CodeQL config is
currently being picked up as a GitHub Actions workflow because it lives under
.github/workflows/, so move this paths-ignore-only config to a non-workflow
location such as .github/codeql/codeql-config.yml and update the config-file
reference in codeql.yml to point to the new path; use the existing CodeQL config
file and codeql.yml workflow as the symbols to locate and adjust.

Source: Linters/SAST tools

Comment on lines +16 to +88
@RestController
public class VulnerableTest {
// 1. SQL 注入漏洞 (CWE-89)
// 漏洞点:直接将用户输入拼接到SQL语句中
@GetMapping("/sql-injection")
public String sqlInjection(@RequestParam String productId, HttpServletRequest request) {
try {
Connection conn = DriverManager.getConnection("jdbc:mysql://localhost/test", "user", "pass");
// 危险:直接拼接用户输入
String query = "SELECT * FROM products WHERE id = " + productId; // $source
Statement st = conn.createStatement();
ResultSet rs = st.executeQuery(query); // $sink
// ... 处理结果
return "Query executed";
} catch (SQLException e) {
return "Error: " + e.getMessage();
}
}

// 2. 命令注入漏洞 (CWE-78)
// 漏洞点:用户输入被直接用于系统命令执行
@GetMapping("/command-injection")
public String commandInjection(@RequestParam String filename) {
try {
// 危险:用户输入直接拼接到命令中
Runtime runtime = Runtime.getRuntime();
Process process = runtime.exec("ls -l " + filename); // $source -> $sink
// ... 处理结果
return "Command executed";
} catch (IOException e) {
return "Error: " + e.getMessage();
}
}

// 3. SSRF 服务端请求伪造漏洞 (CWE-918)
// 漏洞点:用户控制的URL被用于发起网络请求
@GetMapping("/ssrf")
public String ssrf(@RequestParam String urlParam) {
try {
// 危险:用户输入直接构造URL并发起连接
URL url = new URL(urlParam); // $source
HttpURLConnection conn = (HttpURLConnection) url.openConnection(); // $sink
// ... 处理响应
return "Request sent";
} catch (IOException e) {
return "Error: " + e.getMessage();
}
}

// 4. 硬编码密码/密钥 (CWE-798)
// 漏洞点:敏感信息直接写在代码中
public void hardcodedCredential() {
String password = "admin123"; // $hardcoded
String apiKey = "sk-1234567890abcdef"; // $hardcoded
// ...
}

// 5. 路径遍历漏洞 (CWE-22)
// 漏洞点:用户输入直接用于构造文件路径
@GetMapping("/file-read")
public String fileRead(@RequestParam String filename) {
try {
// 危险:用户输入直接用于文件读取
File file = new File("/var/data/" + filename); // $source
FileReader fr = new FileReader(file); // $sink
// ... 读取文件内容
return "File read";
} catch (IOException e) {
return "Error: " + e.getMessage();
}
}

}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔴 Critical | ⚡ Quick win

Do not ship live vulnerable endpoints in the production source set.

This is annotated as an intentional CodeQL fixture, but it is a @RestController under src/main/java, so all endpoints (/sql-injection, /command-injection, /ssrf, /file-read) get compiled into and mapped as live routes in the deployed application — exposing real SQL injection (CWE-89), command injection (CWE-78), SSRF (CWE-918), path traversal (CWE-22), and hardcoded credentials (CWE-798). CodeQL analyzes source statically and does not require these to be registered/live, so there is no need to expose them.

Recommend one of: place the fixture in a source set/module that is excluded from the deployable artifact, drop @RestController/@GetMapping so no routes are registered, or gate it behind a non-production profile. Note also that the codeql-config.yml ignores **/src/test/, so simply moving it to src/test would exclude it from the scan you intend to exercise — pick a location that is both non-deployable and still scanned.

🧰 Tools
🪛 ast-grep (0.44.1)

[warning] 22-22: A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).
Context: DriverManager.getConnection("jdbc:mysql://localhost/test", "user", "pass")
Note: [CWE-798] Use of Hard-coded Credentials.

(drivermanager-hardcoded-secret-java)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@base/src/main/java/com/tinyengine/it/test/VulnerableTest.java` around lines
16 - 88, The VulnerableTest fixture is currently a live `@RestController` under
the production source set, so its endpoints are being deployed and mapped as
real routes. Move VulnerableTest out of the deployable application path or
remove the `@RestController/`@GetMapping annotations so no endpoints are
registered; alternatively gate it behind a non-production profile. Keep the
CodeQL fixture in a location that remains scanned but is excluded from the
runtime artifact, using the VulnerableTest class and its /sql-injection,
/command-injection, /ssrf, and /file-read handlers as the symbols to update.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants