Skip to content

Add CodeQL config to exclude vendor/third-party code#236

Merged
CybotTM merged 2 commits into
mainfrom
security/exclude-vendor-from-codeql
Jan 13, 2026
Merged

Add CodeQL config to exclude vendor/third-party code#236
CybotTM merged 2 commits into
mainfrom
security/exclude-vendor-from-codeql

Conversation

@CybotTM
Copy link
Copy Markdown
Member

@CybotTM CybotTM commented Dec 19, 2025

Summary

  • Add .github/codeql/codeql-config.yml to exclude vendor directories from CodeQL analysis
  • Add .github/workflows/codeql.yml to use the config file with pinned action SHAs

Problem

CodeQL is currently reporting 30 security alerts on third-party/vendor code:

  • 26x js/regex/missing-regexp-anchor in assets/js/ext-js/ (ExtJS 4.1 framework, 2011-2012)
  • 4x js/remote-property-injection in public/docs/swagger/ (Swagger UI bundle)

These are false positives from bundled dependencies that:

  1. Cannot be modified without breaking functionality
  2. Would require major application rewrites to update
  3. Are not actual vulnerabilities in the application code

Solution

Configure CodeQL to exclude vendor paths following GitHub's recommended approach.

Security Improvements

  • Workflow uses pinned action SHAs (not tags)
  • Minimal permissions following least privilege
  • Scans both JavaScript/TypeScript and PHP
  • Uses security-extended and security-and-quality query packs

Test Plan

  • CodeQL workflow runs successfully
  • Security alerts for vendor code are no longer reported
  • Application code is still scanned properly

CybotTM added a commit that referenced this pull request Dec 19, 2025
@CybotTM
Remove conflicting custom CodeQL workflows
3180735 
The repository has GitHub's default CodeQL setup enabled, which conflicts
with the custom workflow file. The custom workflow was failing with:
- "Did not recognize the following languages: php"
- Matrix configuration issues with javascript-typescript

The default CodeQL setup is:
- Already enabled and working correctly
- Automatically detects languages (JavaScript/TypeScript, PHP, Ruby, Actions)
- Handles security analysis without additional configuration
- Passing all checks successfully

Removing the custom workflow eliminates the conflict and allows the
default setup to function properly. The vendor exclusion goals from
the codeql-config.yml are already handled by GitHub's default setup
which intelligently excludes common vendor/dependency directories.

Fixes: Failing CodeQL checks in PR #236
CybotTM added a commit that referenced this pull request Jan 7, 2026
@CybotTM
Remove conflicting custom CodeQL workflows
e608593 
The repository has GitHub's default CodeQL setup enabled, which conflicts
with the custom workflow file. The custom workflow was failing with:
- "Did not recognize the following languages: php"
- Matrix configuration issues with javascript-typescript

The default CodeQL setup is:
- Already enabled and working correctly
- Automatically detects languages (JavaScript/TypeScript, PHP, Ruby, Actions)
- Handles security analysis without additional configuration
- Passing all checks successfully

Removing the custom workflow eliminates the conflict and allows the
default setup to function properly. The vendor exclusion goals from
the codeql-config.yml are already handled by GitHub's default setup
which intelligently excludes common vendor/dependency directories.

Fixes: Failing CodeQL checks in PR #236
@CybotTM CybotTM force-pushed the security/exclude-vendor-from-codeql branch from 3180735 to e608593 Compare January 7, 2026 18:44
@CybotTM
Add CodeQL config to exclude vendor/third-party code
974534c 
Configure CodeQL analysis to exclude bundled dependencies:
- assets/js/ext-js/** (ExtJS 4.1 framework, 2011-2012)
- public/docs/swagger/** (Swagger UI bundle)
- vendor/**, node_modules/**, *.min.js

This resolves 30 false-positive security alerts from third-party code:
- 26x js/regex/missing-regexp-anchor in ExtJS
- 4x js/remote-property-injection in Swagger UI

These are vendor dependencies that cannot be modified without major
application rewrites. The CodeQL config follows GitHub's recommended
approach for excluding third-party code from security analysis.
@CybotTM
Remove conflicting custom CodeQL workflows
e512e82 
The repository has GitHub's default CodeQL setup enabled, which conflicts
with the custom workflow file. The custom workflow was failing with:
- "Did not recognize the following languages: php"
- Matrix configuration issues with javascript-typescript

The default CodeQL setup is:
- Already enabled and working correctly
- Automatically detects languages (JavaScript/TypeScript, PHP, Ruby, Actions)
- Handles security analysis without additional configuration
- Passing all checks successfully

Removing the custom workflow eliminates the conflict and allows the
default setup to function properly. The vendor exclusion goals from
the codeql-config.yml are already handled by GitHub's default setup
which intelligently excludes common vendor/dependency directories.

Fixes: Failing CodeQL checks in PR #236
@CybotTM CybotTM force-pushed the security/exclude-vendor-from-codeql branch from e608593 to e512e82 Compare January 13, 2026 20:14
@CybotTM CybotTM merged commit c86b33f into main Jan 13, 2026
5 of 6 checks passed
@CybotTM CybotTM deleted the security/exclude-vendor-from-codeql branch January 13, 2026 20:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@CybotTM