hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-20 14:34:04 +02:00
Code Issues Packages Projects Releases Wiki Activity
86,816 Commits 1,741 Branches 165 Tags
dfa8d72dd377b30f6b0dcfb1e9cf8a7db94d8eaf
Commit Graph

59 Commits

Author SHA1 Message Date
Kristen Newbury
7b7411f7df Change alert location CWE-829/ArtifactPoisoning queries 2026-04-08 08:57:45 -04:00
Kristen Newbury
41714656ec Adjust alert messages actions CWE-829 2026-04-02 11:58:58 -04:00
Kristen Newbury
e69e30aa84 Adjust alert messages CWE-829/ArtifactPoisoning[Critical|Medium] 2026-04-02 11:32:37 -04:00
Chris Smowton
02caa098bc Actions: note imprecision of MissingActionsPermissions.ql 
Added a note to the query's qhelp to note its imprecision, but also encourage usage of a permissions block regardless as a belt-and-braces measure.
 2025-12-05 12:36:07 +00:00
Owen Mansel-Chan
fb841ea591 Make predicates containing query logic more self-contained 2025-12-04 16:50:37 +00:00
Owen Mansel-Chan
f6bdb3a126 Fix filtering of code injection alerts between medium and critical 2025-12-04 16:50:34 +00:00
Arthur Baars
5d3ec35e29 Remove non-breaking spaces from code 2025-09-05 09:41:15 +02:00
Nora Dimitrijević
126d24a522 [DIFF-INFORMED] Actions: EnvVarInjection 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql#L35
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql#L46
 2025-08-15 11:11:12 +02:00
Nora Dimitrijević
f1445eb52f [DIFF-INFORMED] Actions: EnvPathInjection 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql#L30
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql#L37
 2025-08-15 11:11:07 +02:00
Nora Dimitrijević
418e4b4a3a [DIFF-INFORMED] Actions: CodeInjection 
Query: https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql#L46
 2025-08-15 11:10:58 +02:00
Nora Dimitrijević
bbda2902be [DIFF-INFORMED] Actions: ArtifactPoisoning 
Queries:
- https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql#L23
- https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql#L26
 2025-08-15 11:10:42 +02:00
Peter Stöckli
98d312fda1 Actions: clarify doc for untrusted checkout 2025-08-11 09:56:53 +00:00
Owen Mansel-Chan
2ed451c9e3 Reformat references 2025-06-26 15:20:07 +01:00
Owen Mansel-Chan
10bb88825e Add full stop at the end of each reference 2025-06-26 15:20:06 +01:00
Owen Mansel-Chan
9f0f40d6ce Add "Correct Usage" and "Incorrect Usage" headings 2025-06-26 14:40:49 +01:00
Owen Mansel-Chan
9521994adc Fix format of markdown query help files 2025-06-26 14:40:07 +01:00
Aditya Sharad
6eb060f16a Actions: Add security-severity to excessive secrets exposure query 
Same value as missing actions permissions,
both providing warnings to follow the
principle of least privilege within a
workflow.
 2025-04-14 14:41:08 -07:00
Aditya Sharad
93fbb9fe61 Actions: Update description of missing permissions query 2025-04-14 14:39:31 -07:00
Aditya Sharad
eeb938a76d Docs: Minor fixes for Actions query help 2025-04-14 13:25:54 -07:00
Aditya Sharad
d31896bf52 Merge pull request #19166 from yoff/actions/add-actions-permissions-MaD-model 
actions: add MaD model for permissions needed by actions
 2025-04-03 01:24:04 +05:30
yoff
6fd8aba560 actions: simplify using existing UsesStep 2025-04-01 17:07:21 +02:00
Marco Gario
d33ce423d8 Update UntrustedCheckoutCritical.ql 2025-04-01 13:58:37 +02:00
yoff
3cdd641b81 actions: fix typo 2025-04-01 13:43:00 +02:00
yoff
1ec3e8712b Apply suggestions from code review 
Co-authored-by: Aditya Sharad <6874315+adityasharad@users.noreply.github.com>
 2025-04-01 13:18:30 +02:00
Marco Gario
c0d7288696 Merge branch 'main' into marcogario-patch-1 2025-04-01 10:59:03 +02:00
Marco Gario
8737acb6a9 Update actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql 
Co-authored-by: Andrew Eisenberg <aeisenberg@github.com>
 2025-03-31 20:42:03 +02:00
yoff
e7bb47f335 ruby: add MaD model for permissions needed by actions 
Use this to suggest minimal set of nedded permissions
 2025-03-31 16:48:37 +02:00
Marco Gario
288fcb6092 Update CWE-829 description for clarity 2025-03-26 15:53:20 +01:00
Marco Gario
b1737858fa UntrustedCheckout: Try and differentiate between two versions of the rule 2025-03-26 12:49:48 +00:00
Marco Gario
29a23a3d20 Update UseOfKnownVulnerableAction.ql 
Name should not end in a `.`
 2025-03-26 13:28:34 +01:00
Aditya Sharad
956b5bf6d6 Actions: Fix typos in query names for env var injection 
This will reflect in the UI titles of existing and new alerts
once shipped but should not churn any existing alerts.
 2025-03-13 17:02:04 -07:00
Jaroslav Lobačevski
fa35d6c3ac Minor example workflow fix 2025-03-10 20:43:16 +00:00
Andrew Eisenberg
2a0e133768 Move UnversionedImmutableAction.ql to experimental 
This query will give too many false positives for users until
immutable actions is released.
 2025-03-06 15:08:02 -08:00
martincostello
f1723321fa Format Document 
Fix lint warning.
 2025-02-14 18:06:00 +00:00
Martin Costello
979d604bf6 Apply suggestions from code review 
Co-authored-by: Aditya Sharad <6874315+adityasharad@users.noreply.github.com>
 2025-02-14 17:21:24 +00:00
martincostello
5d2409e652 Fix query 
Forgot to move the `and`.
 2025-02-14 13:36:09 +00:00
martincostello
9a7ed7f3f7 Re-order conditions 
Makes for a neater diff.
 2025-02-14 13:35:20 +00:00
martincostello
99bb0f0b4f Use if then else 
Apply code review suggestion.

Co-Authored-By: Taus <1104778+tausbn@users.noreply.github.com>
 2025-02-14 13:30:55 +00:00
martincostello
71bc89beda Fix query 
Fix various issues with the query.
 2025-02-14 12:59:02 +00:00
Martin Costello
9a29cebe58 Fix docker SHA false positive 
Fix false positives for pinned Docker container images.
 2025-02-14 12:35:55 +00:00
Dave Bartolomeo
0b2e307f9a Merge pull request #18705 from github/dbartol/actions-suite-selectors 
Use default query selectors for Actions suites
 2025-02-07 14:06:00 -05:00
Dave Bartolomeo
0e4725bfe2 Merge pull request #18435 from felickz/felickz/actions-trusted-owner-data-extensions 
Convert trusted actions list to data extension
 2025-02-07 10:25:41 -05:00
Dave Bartolomeo
74619d49b3 Update precision and severity for unpinned-tag 
This ensures that it will be in `security-extended`, but not the default suite.
 2025-02-06 11:33:17 -05:00
Dave Bartolomeo
81ff4dd81c Update severity for excessive-secrets-exposure 
This ensures that it will remain in the default suite.
 2025-02-06 11:32:32 -05:00
Dave Bartolomeo
d7259c17db Add security tag for missing-actions-permissions 
This ensures that it will remain in the default suite.
 2025-02-06 11:31:36 -05:00
Dave Bartolomeo
909de5280c Update severity and precision of a few injection queries 
These will wind up in `security-extended`, when previously they were not in any of the standard suites.
 2025-02-06 11:30:43 -05:00
Dave Bartolomeo
604dbfd0d0 Actions: Move experimental to experimental directory 
This is consistent with how other languages manage experimental queries. I've left the `experimental` tags in place.
 2025-02-06 10:54:25 -05:00
Chad Bentz
f413c4f467 Remove codeql config references from query doc 2025-01-09 19:32:06 -05:00
Chad Bentz
26074bb7fe Make docs less verbose regarding codeql config + enhance changlog to highlight extensibility 2025-01-09 19:30:02 -05:00
Chad Bentz
6b3098d26c Add configuration instructions for trusted Action publishers using data extensions 2025-01-07 19:26:18 -05:00