Create codeql-synthetics.yml

felickz · web-flow · commit 675c1a3e1d46 · 2024-02-20T10:31:12.000-05:00
diff --git a/configs/codeql-synthetics.yml b/configs/codeql-synthetics.yml
@@ -0,0 +1,114 @@
+# Use this configuration file when looking to get the broadest coverage of security results from the CodeQL Built in packs and the GitHub Security Lab Community packs.
+# WARNING: A notable amount of false positives may be found in this configuration.  If you wish to reduce the number of false positives, use the default codeql suites :)
+# NOTE: This configuration will not include audit level queries intended for gathering information about the codebase, and debugging queries intended for CodeQL developers.
+
+name: "Synthetic Apps All Queries Config"
+
+# expand thread model - https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models
+threat-models: local
+
+# start from scratch - https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#disabling-the-default-queries
+disable-default-queries: true
+
+packs:
+    # All queries from the CodeQL Built in packs (including low/no precision queries)
+    - codeql/cpp-queries:.
+    - codeql/csharp-queries:.
+    - codeql/go-queries:.
+    - codeql/java-queries:.
+    - codeql/javascript-queries:.
+    - codeql/python-queries:.
+    - codeql/ruby-queries:.
+    - codeql/swift-queries:.
+
+    # OSS queries from the default suites
+
+    ### GitHub Security Lab###
+    # Queries via Community Packs https://github.com/GitHubSecurityLab/CodeQL-Community-Packs (NOTE: the default suites do not include audit/debugging queries)
+    - githubsecuritylab/codeql-cpp-queries
+    - githubsecuritylab/codeql-csharp-queries
+    - githubsecuritylab/codeql-go-queries
+    - githubsecuritylab/codeql-java-queries
+    - githubsecuritylab/codeql-javascript-queries
+    - githubsecuritylab/codeql-python-queries
+    - githubsecuritylab/codeql-ruby-queries
+
+    # Queries via Community Packs that use local sources https://github.com/GitHubSecurityLab/CodeQL-Community-Packs
+    - githubsecuritylab/codeql-java-queries:suites/java-local.qls
+    - githubsecuritylab/codeql-python-queries:suites/python-local.qls
+
+    # Data extensions via Community Packs for libraries (library ext models are those generated by the corresponding queries in src) https://github.com/GitHubSecurityLab/CodeQL-Community-Packs
+    - githubsecuritylab/codeql-csharp-library-sources
+    - githubsecuritylab/codeql-java-library-sources
+
+    # Data extensions via Community Packs https://github.com/GitHubSecurityLab/CodeQL-Community-Packs
+    - githubsecuritylab/codeql-csharp-extensions
+    - githubsecuritylab/codeql-java-extensions
+
+    ### Trail of Bits ###
+    # Queris via packs: https://github.com/trailofbits/codeql-queries  (default suites include security + crypto
+    - trailofbits/cpp-queries
+    - trailofbits/go-queries
+
+# Start with Security Experimental (lightly documented: https://github.com/github/codeql/pull/11702) : https://github.com/github/codeql/blob/main/misc/suite-helpers/security-experimental-selectors.yml
+# - precision ( low + Low or EXCLUDED precision)
+# + problem.severity: recommendation
+# - restriction of no experimental folder
+# - restriction of audit/debugging queries from community packs
+query-filters:
+    - include:
+          kind:
+              - problem
+              - path-problem
+          tags contain:
+              - security
+    - include:
+          kind:
+              - diagnostic
+    - include:
+          kind:
+              - metric
+          tags contain:
+              - summary
+    - exclude:
+          deprecated: //
+    - exclude:
+          query path:
+              # REMOVE exclude - OK even if they exist in experimental folder
+              #- /^experimental\/.*/
+              - Metrics/Summaries/FrameworkCoverage.ql
+              - /Diagnostics/Internal/.*/
+    - exclude:
+          tags contain:
+              - modeleditor
+              - modelgenerator
+    # Exclude audit queries from the CodeQL Built in packs
+    - exclude:
+          id:
+              - cpp/untrusted-data-to-external-api
+              - cs/untrusted-data-to-external-api
+              - go/untrusted-data-to-external-api
+              - java/untrusted-data-to-external-api
+              - js/untrusted-data-to-external-api
+              - py/untrusted-data-to-external-api
+
+    # Remove debugging, and audit queries used by community packs (this is duplicative of the default suites from those community packs)
+    - exclude:
+          tags contain:
+              - debugging
+              - audit
+
+#Additional extractor excludes:  https://github.com/github/codeql/blob/768e5190a1c9d40a4acc7143c461c3b114e7fd59/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java#L421-L427C42
+paths-ignore:
+    # Python
+    - "vendor/**"
+    - "examples/**"
+    - "tests/**"
+
+    # JavaScript
+    - "node_modules"
+    - "**/*.test.js"
+    - "**/*.test.tsx"
+    - "**/*.spec.ts"
+    - "**/*.spec.tsx"
+    - "dist"
