From fd59563bebfb4882a3233b67419ceb895464bc38 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kim=20Harjam=C3=A4ki?= Date: Fri, 3 Jul 2026 19:32:54 +0300 Subject: [PATCH] ci: scan actions with codeql and add bicep linter config The repo is Bicep and docs with no JavaScript, so the CodeQL matrix targeted a language that does not exist here. Switch the language from 'javascript' to 'actions' so CodeQL scans the GitHub Actions workflows, which are the meaningful analyzable surface. Add a root bicepconfig.json with production linter defaults so the landing-zone Bicep under impl/azure/landing-zone is linted consistently with the rest of the portfolio: core analyzers enabled, secret/security rules at error, style/correctness rules at warning, no-hardcoded-env-urls at error, and use-recent-api-versions disabled to avoid churn. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/codeql.yml | 2 +- bicepconfig.json | 46 ++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 bicepconfig.json diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 86eaa2a..e5ed9ed 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -15,7 +15,7 @@ jobs: strategy: fail-fast: false matrix: - language: [ 'javascript' ] + language: [ 'actions' ] steps: - name: Checkout repository uses: actions/checkout@v4 diff --git a/bicepconfig.json b/bicepconfig.json new file mode 100644 index 0000000..7b7be46 --- /dev/null +++ b/bicepconfig.json @@ -0,0 +1,46 @@ +{ + "analyzers": { + "core": { + "enabled": true, + "verbose": false, + "rules": { + "adminusername-should-not-be-literal": { "level": "error" }, + "artifacts-parameters": { "level": "warning" }, + "decompiler-cleanup": { "level": "warning" }, + "explicit-values-for-loc-params": { "level": "warning" }, + "max-asserts": { "level": "warning" }, + "max-outputs": { "level": "warning" }, + "max-params": { "level": "warning" }, + "max-resources": { "level": "warning" }, + "max-variables": { "level": "warning" }, + "nested-deployment-template-scoping": { "level": "error" }, + "no-conflicting-metadata": { "level": "warning" }, + "no-deployments-resources": { "level": "warning" }, + "no-hardcoded-env-urls": { "level": "error" }, + "no-hardcoded-location": { "level": "warning" }, + "no-loc-expr-outside-params": { "level": "warning" }, + "no-unnecessary-dependson": { "level": "warning" }, + "no-unused-existing-resources": { "level": "warning" }, + "no-unused-params": { "level": "warning" }, + "no-unused-vars": { "level": "warning" }, + "outputs-should-not-contain-secrets": { "level": "error" }, + "prefer-interpolation": { "level": "warning" }, + "prefer-unquoted-property-names": { "level": "warning" }, + "protect-commandtoexecute-secrets": { "level": "error" }, + "secure-parameter-default": { "level": "error" }, + "secure-params-in-nested-deploy": { "level": "error" }, + "secure-secrets-in-params": { "level": "error" }, + "simplify-interpolation": { "level": "warning" }, + "simplify-json-null": { "level": "warning" }, + "use-parent-property": { "level": "warning" }, + "use-recent-api-versions": { "level": "off" }, + "use-resource-id-functions": { "level": "warning" }, + "use-resource-symbol-reference": { "level": "warning" }, + "use-safe-access": { "level": "warning" }, + "use-secure-value-for-secure-inputs": { "level": "error" }, + "use-stable-resource-identifiers": { "level": "warning" }, + "use-stable-vm-image": { "level": "warning" } + } + } + } +}