347 Commits

Author	SHA1	Message	Date
Paolo Tranquilli	f9e42ac443	Merge pull request #21794 from github/post-release-prep/codeql-cli-2.25.4 ... Post-release preparation for codeql-cli-2.25.4	2026-05-07 14:43:24 +02:00
Owen Mansel-Chan	e6f587e761	Merge pull request #21715 from knewbury01/knewbury01/adjust-actions-queries-untrusted-checkout ... Improve actions/ql/src/Security/CWE-829/UntrustedCheckoutX queries	2026-05-06 11:52:30 +01:00
Kristen Newbury	6a8f9a950c	Fix unit test expected file	2026-05-05 13:27:09 -04:00
github-actions[bot]	7610277199	Post-release preparation for codeql-cli-2.25.4	2026-05-05 10:10:06 +00:00
github-actions[bot]	88e1d86c27	Release preparation for version 2.25.4	2026-05-05 09:34:30 +00:00
Kristen Newbury	f9f1349a0d	Undo larger change in this PR	2026-05-04 16:50:55 -04:00
Kristen Newbury	39b6cf9468	Address review comments	2026-05-04 16:47:44 -04:00
Kristen Newbury	b0bc0fdd61	Adjust changenotes actions queries	2026-04-30 12:28:06 -04:00
Kristen Newbury	4fd02220c7	Update help files CWE-829/UntrustedCheckoutX	2026-04-30 10:50:06 -04:00
github-actions[bot]	a0bab539bb	Post-release preparation for codeql-cli-2.25.3	2026-04-20 12:40:34 +00:00
Michael B. Gale	34b5dcfd5f	Improve wording of actions note	2026-04-20 11:40:32 +02:00
github-actions[bot]	c861d99802	Release preparation for version 2.25.3	2026-04-20 09:27:23 +00:00
Paolo Tranquilli	5342cc79fb	Merge pull request #21574 from github/redsun82/actions/remove-harden-runner-false-positive ... Remove false positive injection sink models for `docker/build-push-action` and `step-security/harden-runner`	2026-04-17 09:43:45 +02:00
Kristen Newbury	81532c7ce6	Fix outstanding expected file	2026-04-16 11:37:03 -04:00
Kristen Newbury	ed4e2bc5b9	Improve formatting helpfiles	2026-04-15 16:29:57 -04:00
Kristen Newbury	589e1e5c19	Update actions/ql/lib/ext/config/poisonable_steps.yml ... Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2026-04-15 16:27:06 -04:00
Kristen Newbury	c9e5dbda78	Update actions/ql/lib/ext/config/poisonable_steps.yml ... Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2026-04-15 16:26:38 -04:00
Kristen Newbury	a342efca0e	Revert accidental change	2026-04-15 16:12:52 -04:00
Kristen Newbury	1233d81523	Improve actions/ql/src/Security/CWE-829/UntrustedCheckoutX queries	2026-04-15 14:11:17 -04:00
Henry Mercer	43c9b95e6f	Merge branch 'main' into post-release-prep/codeql-cli-2.25.2	2026-04-14 13:56:52 +01:00
Jeroen Ketema	888d392040	Merge pull request #21636 from jketema/actions-perm ... Actions: Correctly check reusable workflow permissions in `actions/missing-workflow-permissions`	2026-04-10 15:02:36 +02:00
Kristen Newbury	7b7411f7df	Change alert location CWE-829/ArtifactPoisoning queries	2026-04-08 08:57:45 -04:00
github-actions[bot]	242090e0ac	Post-release preparation for codeql-cli-2.25.2	2026-04-06 13:49:20 +00:00
github-actions[bot]	4fe2f6d2b4	Release preparation for version 2.25.2	2026-04-06 10:30:38 +00:00
Kristen Newbury	41714656ec	Adjust alert messages actions CWE-829	2026-04-02 11:58:58 -04:00
Kristen Newbury	e69e30aa84	Adjust alert messages CWE-829/ArtifactPoisoning[Critical|Medium]	2026-04-02 11:32:37 -04:00
Jeroen Ketema	87f9b9581e	Actions: Add change note	2026-04-02 15:48:45 +02:00
Jeroen Ketema	47409d1c59	Actions: Update expected test results	2026-04-02 15:43:49 +02:00
Jeroen Ketema	74e6d3474d	Actions: Correctly check permissions in actions/missing-workflow-permissions	2026-04-02 15:42:45 +02:00
Jeroen Ketema	5866bcc881	Actions: Add FP test for actions/missing-workflow-permissions	2026-04-02 15:41:41 +02:00
github-actions[bot]	ce6e6d5db3	Post-release preparation for codeql-cli-2.25.1	2026-03-30 08:43:48 +00:00
Paolo Tranquilli	e0bc18c228	Add changenote for false positive sink model removals	2026-03-26 09:19:34 +01:00
Paolo Tranquilli	e807545591	Remove false positive docker/build-push-action context sink model ... The `context` input is passed as a single array element through `docker/actions-toolkit` and `@actions/exec` all the way to `child_process.spawn()`, which does not perform shell splitting. No code injection is possible. Fixes https://github.com/github/codeql/issues/21428	2026-03-26 09:08:34 +01:00
github-actions[bot]	fb011842c9	Release preparation for version 2.25.1	2026-03-25 23:43:06 +00:00
Paolo Tranquilli	55d16e8781	Remove false-positive command-injection sink model for step-security/harden-runner ... The `allowed-endpoints` input only flows to `execFileSync("echo", [content])` (no shell) and `fs.writeFileSync` (JSON config), neither of which is a command injection vector. Fixes https://github.com/github/codeql/issues/21568	2026-03-25 10:58:16 +01:00
github-actions[bot]	8cf0954796	Release preparation for version 2.25.1	2026-03-25 08:28:30 +00:00
github-actions[bot]	d6055754b6	Release preparation for version 2.25.0	2026-03-16 12:15:34 +00:00
github-actions[bot]	e152f08468	Post-release preparation for codeql-cli-2.24.3	2026-03-02 22:51:27 +00:00
github-actions[bot]	7795badd18	Release preparation for version 2.24.3	2026-03-02 13:23:40 +00:00
github-actions[bot]	b5898c5a30	Post-release preparation for codeql-cli-2.24.2	2026-02-16 17:07:45 +00:00
github-actions[bot]	ef04f927fb	Release preparation for version 2.24.2	2026-02-16 13:29:25 +00:00
github-actions[bot]	73d06f26cb	Post-release preparation for codeql-cli-2.24.1	2026-02-02 14:04:26 +00:00
github-actions[bot]	0db542e9f0	Release preparation for version 2.24.1	2026-02-02 12:09:09 +00:00
Chris Smowton	a326ce34a8	change note	2026-01-23 15:47:17 +00:00
Chris Smowton	9018401722	Add test	2026-01-23 15:37:40 +00:00
Chris Smowton	6c2e0f7658	Move library tests into subdirectory	2026-01-23 15:35:25 +00:00
Chris Smowton	dc26a57548	Use posessive quantifier to avoid stack overflow on large ${{}} expressions	2026-01-23 15:35:24 +00:00
github-actions[bot]	48475e66af	Post-release preparation for codeql-cli-2.24.0	2026-01-19 15:49:08 +00:00
github-actions[bot]	4142b9c4ce	Release preparation for version 2.24.0	2026-01-19 14:49:14 +00:00
Tom Hvitved	3cdca25a67	Actions: Add examples qlpack	2026-01-16 12:48:54 +01:00