Code Securty QL

Author: Georges034302

.github/codeql/config.yml

@@ -0,0 +1,11 @@
+name: "CodeQL Config"
+disable-default-queries: false
+queries:
+  - uses: security-extended
+  - uses: ./queries
+paths:
+  - UserApp/
+paths-ignore:
+  - '**/test/**'
+  - '**/obj/**'
+  - '**/bin/**'

.github/codeql/org-policy.yml

@@ -0,0 +1,20 @@
+name: "Org-Wide CodeQL Policy"
+disable-default-queries: false
+queries:
+  - uses: org/[email protected]/csharp/security/FindHardcodedSecrets.ql
+  - uses: security-and-quality
+languages:
+  - csharp
+paths:
+  - '**/*.cs'
+rules:
+  - id: cs/hardcoded-secrets
+    severity: error
+    paths:
+      - 'UserApp/**/*.cs'
+    mode: block
+    message: |
+      ❌ Hardcoded secrets detected. Please:
+      1. Remove embedded credentials
+      2. Use environment variables or secrets config
+      3. Follow secure development best practices

.github/codeql/qlpack.yml

@@ -0,0 +1,5 @@
+name: userapp/secrets
+version: 0.0.1
+library: true
+dependencies:
+  codeql/csharp-all: "*"

.github/codeql/queries/FindHardcodedSecrets.ql

@@ -0,0 +1,26 @@
+/**
+ * @name Find hardcoded secrets in C#
+ * @description Detects hardcoded string literals assigned to fields with secret-related names
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 8.0
+ * @id cs/hardcoded-secrets
+ * @tags security
+ */
+
+import csharp
+
+predicate isSecretField(Field f) {
+  f.getName().regexpMatch("(?i).*(apiKey|token|secret|password|auth)")
+}
+
+predicate isSecretValue(string_literal s) {
+  s.getValue().regexpMatch("(?i)^(sk_.*|token_.*|apikey_.*|[a-zA-Z0-9+/=]{32,})")
+}
+
+from Field f, string_literal s
+where
+  isSecretField(f) and
+  f.getInitializer() = s and
+  isSecretValue(s)
+select s, "Hardcoded secret detected: '" + s.getValue() + "' assigned to field '" + f.getName() + "'"

.github/dependabot.yml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: "nuget"
+    directory: "/UserApp"
+    schedule:
+      interval: "daily"
+    labels:
+      - "dependencies"
+      - "automerge"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "📦 deps:"

.github/workflows/codeql.yml

@@ -0,0 +1,28 @@
+name: CodeQL Scan
+on:
+  push:
+    branches: [main]
+    paths:
+      - '**/*.cs'
+  pull_request:
+    branches: [main]
+    paths:
+      - '**/*.cs'
+permissions:
+  contents: read
+  security-events: write
+jobs:
+  analyze:
+    name: CodeQL Analyze C#
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-dotnet@v3
+        with:
+          dotnet-version: '8.0.x'
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: csharp
+          config-file: .github/codeql/config.yml
+      - run: dotnet build UserApp/UserApp.csproj --configuration Release
+      - uses: github/codeql-action/analyze@v3