mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-06 06:50:43 +00:00
6e73101df3
Runs the PR CodeQL security guard as high-confidence high/critical security coverage and adds the initial plugin/package-contract quality guard.
42 lines
893 B
YAML
42 lines
893 B
YAML
name: openclaw-codeql-network-ssrf-boundary-critical-security
|
|
|
|
disable-default-queries: true
|
|
|
|
queries:
|
|
- uses: security-extended
|
|
|
|
query-filters:
|
|
- include:
|
|
precision:
|
|
- high
|
|
- very-high
|
|
tags contain: security
|
|
security-severity: /([7-9]|10)\.(\d)+/
|
|
|
|
paths:
|
|
- src/infra/net
|
|
- src/shared/net
|
|
- src/agents/tools/web-fetch.ts
|
|
- src/agents/tools/web-guarded-fetch.ts
|
|
- src/agents/tools/web-shared.ts
|
|
- src/plugin-sdk/ssrf-policy.ts
|
|
- src/web-fetch
|
|
- src/web/provider-runtime-shared.ts
|
|
- packages/memory-host-sdk/src/host/ssrf-policy.ts
|
|
|
|
paths-ignore:
|
|
- "**/node_modules"
|
|
- "**/coverage"
|
|
- "**/*.generated.ts"
|
|
- "**/*.bundle.js"
|
|
- "**/*-runtime.js"
|
|
- "**/*.test.ts"
|
|
- "**/*.test.tsx"
|
|
- "**/*.e2e.test.ts"
|
|
- "**/*.e2e.test.tsx"
|
|
- "**/*test-support*"
|
|
- "**/*test-helper*"
|
|
- "**/*mock*"
|
|
- "**/*fixture*"
|
|
- "**/*bench*"
|