chore(ci): widen CodeQL PR guard

Runs the PR CodeQL security guard as high-confidence high/critical security coverage and adds the initial plugin/package-contract quality guard.
2026-05-06 08:20:43 +00:00 · 2026-04-29 20:06:50 -07:00
parent 8672737f81
commit 6e73101df3
9 changed files with 69 additions and 52 deletions
--- a/.github/codeql/codeql-actions-critical-security.yml
+++ b/.github/codeql/codeql-actions-critical-security.yml
@@ -1,5 +1,18 @@
 name: openclaw-codeql-actions-critical-security

+disable-default-queries: true
+
+queries:
+  - uses: security-extended
+
+query-filters:
+  - include:
+      precision:
+        - high
+        - very-high
+      tags contain: security
+      security-severity: /([7-9]|10)\.(\d)+/
+
 paths:
  - .github/actions
  - .github/workflows
--- a/.github/codeql/codeql-channel-runtime-boundary-critical-security.yml
+++ b/.github/codeql/codeql-channel-runtime-boundary-critical-security.yml
@@ -10,10 +10,8 @@ query-filters:
      precision:
        - high
        - very-high
-  - exclude:
-      problem.severity:
-        - recommendation
-        - warning
+      tags contain: security
+      security-severity: /([7-9]|10)\.(\d)+/

 paths:
  - src/channels
--- a/.github/codeql/codeql-core-auth-secrets-critical-security.yml
+++ b/.github/codeql/codeql-core-auth-secrets-critical-security.yml
@@ -10,10 +10,8 @@ query-filters:
      precision:
        - high
        - very-high
-  - exclude:
-      problem.severity:
-        - recommendation
-        - warning
+      tags contain: security
+      security-severity: /([7-9]|10)\.(\d)+/

 paths:
  - src/agents/*auth*.ts
--- a/.github/codeql/codeql-mcp-process-tool-boundary-critical-security.yml
+++ b/.github/codeql/codeql-mcp-process-tool-boundary-critical-security.yml
@@ -10,10 +10,8 @@ query-filters:
      precision:
        - high
        - very-high
-  - exclude:
-      problem.severity:
-        - recommendation
-        - warning
+      tags contain: security
+      security-severity: /([7-9]|10)\.(\d)+/

 paths:
  - src/mcp
--- a/.github/codeql/codeql-network-ssrf-boundary-critical-security.yml
+++ b/.github/codeql/codeql-network-ssrf-boundary-critical-security.yml
@@ -10,10 +10,8 @@ query-filters:
      precision:
        - high
        - very-high
-  - exclude:
-      problem.severity:
-        - recommendation
-        - warning
+      tags contain: security
+      security-severity: /([7-9]|10)\.(\d)+/

 paths:
  - src/infra/net
--- a/.github/codeql/codeql-plugin-trust-boundary-critical-security.yml
+++ b/.github/codeql/codeql-plugin-trust-boundary-critical-security.yml
@@ -10,10 +10,8 @@ query-filters:
      precision:
        - high
        - very-high
-  - exclude:
-      problem.severity:
-        - recommendation
-        - warning
+      tags contain: security
+      security-severity: /([7-9]|10)\.(\d)+/

 paths:
  - src/cli/plugin-install-config-policy.ts