vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 05:30:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(ci): rename CodeQL auth security shard

Browse Source
This commit is contained in:
Vincent Koc
2026-04-29 14:09:15 -07:00
parent 21e2168b8f
commit 1d9f727bfd
3 changed files with 8 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/codeql/codeql-javascript-typescript-critical-security.yml → .github/codeql/codeql-core-auth-secrets-critical-security.yml vendored
View File

@@ -1,4 +1,4 @@
name: openclaw-codeql-javascript-typescript-critical-security
name: openclaw-codeql-core-auth-secrets-critical-security
disable-default-queries: true

4
.github/workflows/codeql.yml vendored
View File

@@ -37,10 +37,10 @@ jobs:
matrix:
include:
- language: javascript-typescript
category: javascript-typescript
category: core-auth-secrets
runs_on: blacksmith-8vcpu-ubuntu-2404
timeout_minutes: 25
config_file: ./.github/codeql/codeql-javascript-typescript-critical-security.yml
config_file: ./.github/codeql/codeql-core-auth-secrets-critical-security.yml
- language: javascript-typescript
category: channel-runtime-boundary
runs_on: blacksmith-8vcpu-ubuntu-2404

9
docs/ci.md
View File

@@ -258,19 +258,20 @@ or overlapping changed hunks.
The `CodeQL` workflow is intentionally a narrow first-pass security scanner,
not the full repository sweep. Daily and manual runs scan Actions workflow code
plus the highest-risk JavaScript/TypeScript auth, secrets, sandbox, cron, and
gateway surfaces with high-precision security queries. The
gateway surfaces with high-precision security queries under the
`/codeql-critical-security/core-auth-secrets` category. The
channel-runtime-boundary job separately scans core channel implementation
contracts plus the channel plugin runtime, gateway, Plugin SDK, secrets, and
audit touchpoints under the `/codeql-critical-security/channel-runtime-boundary`
category so channel security signal can scale without broadening the baseline
JS/TS category. The network-ssrf-boundary job scans core SSRF, IP parsing,
auth/secrets category. The network-ssrf-boundary job scans core SSRF, IP parsing,
network guard, web-fetch, and Plugin SDK SSRF policy surfaces under the
`/codeql-critical-security/network-ssrf-boundary` category so network trust
boundary signal stays separate from the broader JS/TS security baseline.
boundary signal stays separate from the auth/secrets security baseline.
The mcp-process-tool-boundary job scans MCP servers, process execution helpers,
outbound delivery, and agent tool-execution gates under the
`/codeql-critical-security/mcp-process-tool-boundary` category so command and
tool boundary signal stays separate from both the general JS/TS baseline and
tool boundary signal stays separate from both the auth/secrets baseline and
the non-security MCP/process quality shard.
The `CodeQL Android Critical Security` workflow is the scheduled Android