feat:Add CodeQL analysis workflow configuration#322
Conversation
This workflow file configures CodeQL analysis for the repository, specifying triggers, jobs, and steps for analyzing various programming languages.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✅ Files skipped from review due to trivial changes (1)
WalkthroughAdds a GitHub Actions CodeQL Advanced workflow triggered on pushes and pull requests to ChangesCodeQL Workflow Setup
Estimated code review effort: 1 (Trivial) | ~5 minutes Sequence Diagram(s)sequenceDiagram
participant GitHubActions
participant CodeQLInit
participant ManualBuild
participant CodeQLAnalyze
GitHubActions->>CodeQLInit: initialize with matrix language, build-mode, and config file
CodeQLInit->>ManualBuild: run manual build commands when build-mode is manual
ManualBuild->>CodeQLAnalyze: provide completed build or fail on placeholders
CodeQLInit->>CodeQLAnalyze: analyze with language category
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 8
🧹 Nitpick comments (2)
.github/workflows/codeql.yml (2)
59-60: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winSet
persist-credentials: falseon the checkout step.The
actions/checkout@v4action defaults topersist-credentials: true, which leaves a GitHub App token in the local git config for the duration of the job. Since this workflow only reads code for analysis and never pushes, disabling credential persistence reduces the attack surface if the runner is compromised.🔒️ Disable credential persistence
- name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/codeql.yml around lines 59 - 60, The checkout step in the CodeQL workflow currently leaves credentials persisted by default; update the existing actions/checkout@v4 step to disable credential persistence. Modify the Checkout repository step in the workflow so it uses the checkout action without storing the GitHub token in git config, since this job only analyzes code and never pushes changes.Source: Linters/SAST tools
88-97: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueManual build step will always fail — consider providing actual build commands.
The
Run manual build stepsstep unconditionallyexit 1whenbuild-modeismanual. Currently the matrix only usesautobuildandnone, so this step is skipped. However, if someone switchesjava-kotlintomanualin the future, the workflow will fail with a placeholder error instead of building the project. Consider replacing the placeholder with the actual Maven build command (mvn -B compileor similar) or removing the step to avoid confusion.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/codeql.yml around lines 88 - 97, The manual build placeholder in the workflow will fail whenever `matrix.build-mode` is set to `manual`; update the `Run manual build steps` job step to use the real build logic instead of the dummy `exit 1`. Use the workflow’s existing build-mode handling to either run the appropriate Maven compile command for `java-kotlin` in this step or remove the step if manual mode is not supported, so the `codeql.yml` workflow doesn’t break later when `manual` is enabled.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/codeql-config.yml:
- Around line 1-5: The CodeQL config file is in the wrong directory and is being
treated as a workflow file, so move the existing codeql-config.yml from
.github/workflows to .github/codeql to match the path used by the codeql
workflow and avoid actionlint parsing errors. Keep the contents unchanged; only
relocate the file so the CodeQL init step can find it and the .github/workflows
directory contains only actual workflow definitions.
In @.github/workflows/codeql.yml:
- Around line 69-74: The Initialize CodeQL step in the codeql workflow points
`config-file` at a non-existent absolute path. Update the
`github/codeql-action/init@v4` configuration to reference the
repository-relative location without the leading slash, and make sure it matches
where `codeql-config.yml` will live after the move to `.github/codeql/`.
In `@base/src/main/java/com/tinyengine/it/test/VulnerableTest.java`:
- Around line 75-86: The /file-read endpoint in VulnerableTest is building a
filesystem path directly from the filename request parameter, which allows path
traversal. Update fileRead(String filename) to stop concatenating raw input into
new File(...) and instead validate and normalize the requested path against the
intended base directory before opening it with FileReader; reject any input that
escapes /var/data or use a fixed allowlist of safe filenames.
- Around line 52-63: The ssrf endpoint in VulnerableTest is directly opening an
HttpURLConnection from untrusted urlParam, which makes the route exploitable for
SSRF. Fix ssrf by removing direct URL construction from user input or by
enforcing a strict allowlist of permitted hosts/schemes before creating the URL
and opening the connection, and ensure any outbound request goes through a
validated helper rather than raw new URL(...) / openConnection() calls.
- Around line 37-48: The commandInjection endpoint is directly passing
user-controlled filename into Runtime.exec, creating a command injection risk.
Update commandInjection to stop building a shell command from raw request data;
instead use a safe ProcessBuilder/argument list with fixed command tokens and
validate/whitelist filename before use. Keep the fix localized to the
commandInjection method and ensure no user input reaches Runtime.exec as a
single concatenated string.
- Around line 67-71: The issue is that `VulnerableTest.hardcodedCredential()`
and the `DriverManager.getConnection` usage contain plaintext credentials in
source. Remove the hardcoded `password` and `apiKey` values and replace them
with test-safe placeholders or injected values, and either move this class into
the test source set or refactor the connection setup so
`DriverManager.getConnection` does not embed secrets. Keep the fix localized to
`hardcodedCredential()` and the connection code path flagged by the scanner.
- Around line 20-33: The sqlInjection endpoint in VulnerableTest is exposing a
live SQL injection path by taking productId and concatenating it into a JDBC
query executed through Statement. Move this controller out of the main source
set or guard it behind a non-production profile/conditional so
`@GetMapping`("/sql-injection") is not deployed in production, and keep the
vulnerable query only in the isolated test fixture used for CodeQL validation.
- Around line 16-17: The VulnerableTest controller is currently in the
production classpath and gets picked up by Spring component scanning, exposing
dangerous endpoints at runtime. Move the VulnerableTest class out of
base/src/main/java into test-only sources, or guard the `@RestController` with a
non-production profile so it is not registered in production. Keep the fix
scoped to the VulnerableTest type and its Spring annotations so the app module
no longer exposes those endpoints.
---
Nitpick comments:
In @.github/workflows/codeql.yml:
- Around line 59-60: The checkout step in the CodeQL workflow currently leaves
credentials persisted by default; update the existing actions/checkout@v4 step
to disable credential persistence. Modify the Checkout repository step in the
workflow so it uses the checkout action without storing the GitHub token in git
config, since this job only analyzes code and never pushes changes.
- Around line 88-97: The manual build placeholder in the workflow will fail
whenever `matrix.build-mode` is set to `manual`; update the `Run manual build
steps` job step to use the real build logic instead of the dummy `exit 1`. Use
the workflow’s existing build-mode handling to either run the appropriate Maven
compile command for `java-kotlin` in this step or remove the step if manual mode
is not supported, so the `codeql.yml` workflow doesn’t break later when `manual`
is enabled.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 4969a368-e7ad-4fe8-90e9-d3f059c491d5
📒 Files selected for processing (3)
.github/workflows/codeql-config.yml.github/workflows/codeql.ymlbase/src/main/java/com/tinyengine/it/test/VulnerableTest.java
PR漏洞扫描配置,增量扫描,已验证
Summary by CodeRabbit