mirror of
https://github.com/ivuorinen/actions.git
synced 2026-01-26 11:34:00 +00:00
Ismo Vuorinen
abe24f8570
* chore: remove bylines from actions * feat: new daily release action * chore(ci): ignore false positive in codeql, fix others * fix: cr comments
34 lines
1.1 KiB
YAML
34 lines
1.1 KiB
YAML
---
|
|
# CodeQL configuration for GitHub Actions repository
|
|
name: 'Actions Security Scanning'
|
|
|
|
# Exclude third-party and generated code from analysis
|
|
paths-ignore:
|
|
- node_modules/**
|
|
- '**/node_modules/**'
|
|
- '**/*.min.js'
|
|
- '_tests/reports/**'
|
|
- '_tests/coverage/**'
|
|
- '*.sarif'
|
|
- '**/*.sarif'
|
|
|
|
# Use security and quality query suite
|
|
queries:
|
|
- uses: security-and-quality
|
|
|
|
# Suppress specific false positives
|
|
# These findings have been manually reviewed and determined to be false positives
|
|
# with appropriate security controls in place
|
|
query-filters:
|
|
# docker-publish: Code injection in validated context
|
|
# False positive: User input is validated and sanitized before use
|
|
# - Only relative paths and trusted git URLs are allowed
|
|
# - Absolute paths and arbitrary URLs are rejected
|
|
# - Path traversal attempts are blocked
|
|
# - Custom contexts require explicit opt-in via use-custom-context: true
|
|
# - Wraps docker/build-push-action (trusted Docker-maintained action)
|
|
# - Action is designed for trusted workflows only (documented in action.yml)
|
|
- exclude:
|
|
id: js/actions/code-injection
|
|
kind: problem
|