diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml index 82ea1d7..f12a54a 100644 --- a/.github/codeql/codeql-config.yml +++ b/.github/codeql/codeql-config.yml @@ -5,12 +5,13 @@ paths-ignore: - "**/node_modules/**" - "**/dist/**" - "**/*.test.ts" + - "**/test/**" # Query filters to suppress false positives -# The rate limiting alerts are false positives because we use @fastify/rate-limit plugin -# which CodeQL doesn't recognize. The plugin is registered globally in index.ts -# and route-specific limits are applied via config.rateLimit option. query-filters: + # Rate limiting IS implemented via @fastify/rate-limit plugin (registered in index.ts) + # Route-specific limits are applied via config.rateLimit option + # CodeQL doesn't recognize this Fastify-specific pattern - exclude: id: js/missing-rate-limiting - # We use @fastify/rate-limit which CodeQL doesn't detect + diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..abc0ffb --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,41 @@ +name: "CodeQL" + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + - cron: "0 6 * * 1" # Weekly on Monday at 6am UTC + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [javascript-typescript] + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + config-file: ./.github/codeql/codeql-config.yml + + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{ matrix.language }}"