mirror of
https://github.com/openclaw/openclaw.git
synced 2026-07-04 18:03:39 +00:00
Summary: - The PR adds a `process-exec-boundary` CodeQL high-security shard, wires it into the CodeQL workflow, expands PR path triggers for process-owning plugin/script paths, and updates CI docs. - PR surface: Docs +1, Config +87. Total +88 across 3 files. - Reproducibility: not applicable. this is CI/security-scanner configuration rather than a runtime bug. The behavior is source-reviewable and the exact-head `Security High (process-exec-boundary)` check passed. Automerge notes: - No ClawSweeper repair was needed after automerge opt-in. Validation: - ClawSweeper review passed for head066d54b633. - Required merge gates passed before the squash merge. Prepared head SHA:066d54b633Review: https://github.com/openclaw/openclaw/pull/92667#issuecomment-4698545987 Co-authored-by: Mason Huang <masonxhuang@tencent.com> Approved-by: hxy91819
62 lines
1.6 KiB
YAML
62 lines
1.6 KiB
YAML
name: openclaw-codeql-process-exec-boundary-critical-security
|
|
|
|
disable-default-queries: true
|
|
|
|
queries:
|
|
- uses: security-extended
|
|
|
|
query-filters:
|
|
- include:
|
|
precision:
|
|
- high
|
|
- very-high
|
|
tags contain: security
|
|
security-severity: /([7-9]|10)\.(\d)+/
|
|
|
|
paths:
|
|
- src/process
|
|
- src/tui/tui-local-shell.ts
|
|
- src/tui/tui.ts
|
|
- src/plugin-sdk/windows-spawn.ts
|
|
- packages/agent-core/src/harness/env
|
|
- packages/memory-host-sdk/src/host
|
|
- extensions/acpx/src
|
|
- extensions/bonjour/src/advertiser.ts
|
|
- extensions/browser/src/browser/chrome-mcp.ts
|
|
- extensions/browser/src/browser/chrome.executables.ts
|
|
- extensions/browser/src/browser/chrome.ts
|
|
- extensions/codex/src/app-server/sandbox-exec-server
|
|
- extensions/codex/src/app-server/transport-stdio.ts
|
|
- extensions/codex/src/node-cli-sessions.ts
|
|
- extensions/codex-supervisor/src/json-rpc-client.ts
|
|
- extensions/file-transfer/src
|
|
- extensions/google-meet/src
|
|
- extensions/imessage/src
|
|
- extensions/memory-core/src/memory/qmd-manager.ts
|
|
- extensions/memory-wiki/src/obsidian.ts
|
|
- extensions/microsoft-foundry/cli.ts
|
|
- extensions/ollama/src/wsl2-crash-loop-check.ts
|
|
- extensions/qa-lab/src
|
|
- extensions/signal/src/daemon.ts
|
|
- extensions/tts-local-cli/speech-provider.ts
|
|
- extensions/voice-call/src
|
|
- scripts
|
|
|
|
paths-ignore:
|
|
- "**/node_modules"
|
|
- "**/coverage"
|
|
- "**/*.generated.ts"
|
|
- "**/*.bundle.js"
|
|
- "**/*-runtime.js"
|
|
- "**/*.test.ts"
|
|
- "**/*.test.tsx"
|
|
- "**/*.spec.ts"
|
|
- "**/*.spec.tsx"
|
|
- "**/*.e2e.test.ts"
|
|
- "**/*.e2e.test.tsx"
|
|
- "**/*test-support*"
|
|
- "**/*test-helper*"
|
|
- "**/*mock*"
|
|
- "**/*fixture*"
|
|
- "**/*bench*"
|