Skip to content

Suppress CodeQL false positives for filepath fields#3122

Closed
brianaydemir wants to merge 1 commit intoPelicanPlatform:mainfrom
brianaydemir:codeql-fixes
Closed

Suppress CodeQL false positives for filepath fields#3122
brianaydemir wants to merge 1 commit intoPelicanPlatform:mainfrom
brianaydemir:codeql-fixes

Conversation

@brianaydemir
Copy link
Contributor

@brianaydemir brianaydemir commented Feb 14, 2026

Add a custom replacement for the built-in go/clear-text-logging query that allowlists S3SecretKeyfile, UIPasswordFile, and PasswordLocation. These struct fields store file paths, not secrets, so logging them is safe.

@brianaydemir
Copy link
Contributor Author

brianaydemir commented Feb 14, 2026

According to Copilot:

● Here's a summary of the changes:
  Files created:
   1. .github/codeql/codeql-config.yml — CodeQL configuration that loads our custom Go queries and excludes the built-in 
  go/clear-text-logging query (matched by query path: /^Security\//) so only our custom version runs.
   2. .github/codeql/go/qlpack.yml — CodeQL query pack definition declaring a dependency on codeql/go-all.
   3. .github/codeql/go/CleartextLogging.ql — Custom replacement for the built-in go/clear-text-logging query. It adds an 
  isSafeFilepathField predicate that allowlists S3SecretKeyfile, UIPasswordFile, and PasswordLocation — struct fields that 
  store file paths rather than secrets. The query otherwise preserves all the original logic.
  Files modified:
   1. .github/workflows/codeql-analysis.yml — Added config-file: ./.github/codeql/codeql-config.yml to the CodeQL init step.
  This eliminates the ~25+ false-positive go/clear-text-logging alerts (like #333) while keeping the query active for any
  genuinely sensitive data.

@brianaydemir brianaydemir added infrastructure GitHub Actions, Release management, and CI internal Internal code improvements, not user-facing labels Feb 14, 2026
@brianaydemir
Copy link
Contributor Author

brianaydemir commented Feb 14, 2026

For posterity, my "conversation" with Copilot: GitHub Copilot CodeQL fixes.txt.

@brianaydemir
Suppress CodeQL false positives for filepath fields
faa02dd 
Add a custom replacement for the built-in go/clear-text-logging query
that allowlists S3SecretKeyfile, UIPasswordFile, and PasswordLocation.
These struct fields store file paths, not secrets, so logging them is
safe.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@brianaydemir
Copy link
Contributor Author

brianaydemir commented Mar 3, 2026

Closing this one. It was a nice experiment in throwing Copilot at a problem, but it's not clear whether any human has the time and inclination to verify the fix, nor is it clear that re-configuring CodeQL is actually the way to solve this problem.

@bbockelm
Copy link
Collaborator

bbockelm commented Mar 4, 2026

@brianaydemir - funny you mention that because I was just about to angrily poke at the CodeQL issue again.

Honestly, I haven't the foggiest about the CodeQL language. I think I'm going to take the boring route and try generating a data structure that CodeQL can correctly analyze (because I've no idea how to maintain the CodeQL changes either)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

infrastructure GitHub Actions, Release management, and CI internal Internal code improvements, not user-facing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@brianaydemir @bbockelm