vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 05:10:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(ci): rename CodeQL auth security shard

Browse Source 
Renames the default auth/secrets CodeQL security category from the generic javascript-typescript label to core-auth-secrets.

Proof:
- Branch CodeQL security run https://github.com/openclaw/openclaw/actions/runs/25134871512 passed on 1d9f727bfd.
- Core auth/secrets analysis 1200412263 returned 0 results.
- Branch open CodeQL alerts: none.
- Workflow Sanity, Blacksmith Testbox, Blacksmith Build Artifacts Testbox, and OpenGrep PR Diff passed.

Scope is label/config only: same paths, query pack, filters, timeout, and runner.
This commit is contained in:
Vincent Koc
2026-04-29 14:32:34 -07:00
committed by GitHub
parent b552e31563
commit 71ab341f46
3 changed files with 8 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/codeql/codeql-javascript-typescript-critical-security.yml → .github/codeql/codeql-core-auth-secrets-critical-security.yml vendored
View File

@@ -1,4 +1,4 @@
name: openclaw-codeql-javascript-typescript-critical-security
name: openclaw-codeql-core-auth-secrets-critical-security
disable-default-queries: true

4
.github/workflows/codeql.yml vendored
View File

@@ -37,10 +37,10 @@ jobs:
matrix:
include:
- language: javascript-typescript
category: javascript-typescript
category: core-auth-secrets
runs_on: blacksmith-8vcpu-ubuntu-2404
timeout_minutes: 25
config_file: ./.github/codeql/codeql-javascript-typescript-critical-security.yml
config_file: ./.github/codeql/codeql-core-auth-secrets-critical-security.yml
- language: javascript-typescript
category: channel-runtime-boundary
runs_on: blacksmith-8vcpu-ubuntu-2404

9
docs/ci.md
View File

@@ -258,19 +258,20 @@ or overlapping changed hunks.
The `CodeQL` workflow is intentionally a narrow first-pass security scanner,
not the full repository sweep. Daily and manual runs scan Actions workflow code
plus the highest-risk JavaScript/TypeScript auth, secrets, sandbox, cron, and
gateway surfaces with high-precision security queries. The
gateway surfaces with high-precision security queries under the
`/codeql-critical-security/core-auth-secrets` category. The
channel-runtime-boundary job separately scans core channel implementation
contracts plus the channel plugin runtime, gateway, Plugin SDK, secrets, and
audit touchpoints under the `/codeql-critical-security/channel-runtime-boundary`
category so channel security signal can scale without broadening the baseline
JS/TS category. The network-ssrf-boundary job scans core SSRF, IP parsing,
auth/secrets category. The network-ssrf-boundary job scans core SSRF, IP parsing,
network guard, web-fetch, and Plugin SDK SSRF policy surfaces under the
`/codeql-critical-security/network-ssrf-boundary` category so network trust
boundary signal stays separate from the broader JS/TS security baseline.
boundary signal stays separate from the auth/secrets security baseline.
The mcp-process-tool-boundary job scans MCP servers, process execution helpers,
outbound delivery, and agent tool-execution gates under the
`/codeql-critical-security/mcp-process-tool-boundary` category so command and
tool boundary signal stays separate from both the general JS/TS baseline and
tool boundary signal stays separate from both the auth/secrets baseline and
the non-security MCP/process quality shard.
The `CodeQL Android Critical Security` workflow is the scheduled Android