mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-06 08:00:42 +00:00
6e73101df3
Runs the PR CodeQL security guard as high-confidence high/critical security coverage and adds the initial plugin/package-contract quality guard.
57 lines
1.5 KiB
YAML
57 lines
1.5 KiB
YAML
name: openclaw-codeql-mcp-process-tool-boundary-critical-security
|
|
|
|
disable-default-queries: true
|
|
|
|
queries:
|
|
- uses: security-extended
|
|
|
|
query-filters:
|
|
- include:
|
|
precision:
|
|
- high
|
|
- very-high
|
|
tags contain: security
|
|
security-severity: /([7-9]|10)\.(\d)+/
|
|
|
|
paths:
|
|
- src/mcp
|
|
- src/process
|
|
- src/infra/outbound
|
|
- src/agents/bash-tools.exec*.ts
|
|
- src/agents/bash-tools.process*.ts
|
|
- src/agents/exec-*.ts
|
|
- src/agents/execution-contract.ts
|
|
- src/agents/openclaw-plugin-tools.ts
|
|
- src/agents/openclaw-tools.runtime.ts
|
|
- src/agents/openclaw-tools.registration.ts
|
|
- src/agents/pi-tool-definition-adapter.ts
|
|
- src/agents/pi-tools.abort.ts
|
|
- src/agents/pi-tools.before-tool-call*.ts
|
|
- src/agents/pi-tools.host-edit.ts
|
|
- src/agents/pi-tools-parameter-schema.ts
|
|
- src/agents/pi-embedded-runner/effective-tool-policy.ts
|
|
- src/agents/pi-embedded-runner/tool-name-allowlist.ts
|
|
- src/agents/pi-embedded-runner/tool-schema-runtime.ts
|
|
- src/agents/tools/gateway-tool.ts
|
|
- src/agents/tools/message-tool.ts
|
|
- src/agents/tools/sessions-send-tool.ts
|
|
- src/agents/tools/sessions-spawn-tool.ts
|
|
- src/agents/tools/subagents-tool.ts
|
|
- src/agents/tools/tool-runtime.helpers.ts
|
|
|
|
paths-ignore:
|
|
- "**/node_modules"
|
|
- "**/coverage"
|
|
- "**/*.generated.ts"
|
|
- "**/*.bundle.js"
|
|
- "**/*-runtime.js"
|
|
- "**/*.test.ts"
|
|
- "**/*.test.tsx"
|
|
- "**/*.e2e.test.ts"
|
|
- "**/*.e2e.test.tsx"
|
|
- "**/*test-support*"
|
|
- "**/*test-helper*"
|
|
- "**/*mock*"
|
|
- "**/*fixture*"
|
|
- "**/*bench*"
|