alchemy-run · naorpeled · Jun 2, 2025 · Jun 2, 2025 · Jun 2, 2025
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
@@ -0,0 +1,79 @@
+name: "Alchemy CodeQL Configuration"
+
+# Disable default paths to specify custom ones
+disable-default-path-filters: false
+
+# Define what paths to include in the analysis
+paths:
+  - "alchemy/src"
+  - "alchemy-web/src"
+  - "alchemy-web/docs"
+  - "examples/*/src"
+  - "examples/*/app"
+  - "examples/*/pages"
+  - "examples/*/components"
+  - "stacks"
+  - "scripts"
+
+# Define what paths to exclude from analysis
+paths-ignore:
+  # Test files
+  - "**/*.test.ts"
+  - "**/*.test.js"
+  - "**/*.spec.ts"
+  - "**/*.spec.js"
+  - "**/test/**"
+  - "**/tests/**"
+  - "alchemy/test/**"
+
+  # Generated/Build artifacts
+  - "**/node_modules/**"
+  - "**/lib/**"
+  - "**/dist/**"
+  - "**/build/**"
+  - "**/.next/**"
+  - "**/.nuxt/**"
+  - "**/.output/**"
+  - "**/out/**"
+  - "**/*.d.ts"
+  - "**/types/generated/**"
+
+  # Configuration files that don't need security analysis
+  - "**/*.config.js"
+  - "**/*.config.ts"
+  - "**/*.config.mjs"
+  - "**/vite.config.*"
+  - "**/vitest.config.*"
+  - "**/tailwind.config.*"
+  - "**/biome.json"
+  - "**/tsconfig*.json"
+  - "**/.cursorrules"
+
+  # Documentation and misc files
+  - "**/*.md"
+  - "**/*.mdx"
+  - "**/CHANGELOG.md"
+  - "**/README.md"
+  - "**/LICENSE"
+  - "**/.github/**"
+  - "**/public/**"
+  - "**/static/**"
+
+# Query pack configuration
+packs:
+  # Include the JavaScript queries pack
+  - codeql/javascript-queries
+
+# Query suite configuration
+queries:
+  # Use comprehensive security and quality query suites
+  - uses: security-extended
+  - uses: security-and-quality
+
+# Custom query suites for more specific analysis
+query-filters:
+  # Exclude certain query results that may be noisy for this type of project
+  - exclude:
+      id: js/incomplete-sanitization
+  - exclude:
+      id: js/incomplete-multi-character-sanitization 
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,89 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+    types: [opened, reopened, synchronize]
+  schedule:
+    # Run CodeQL analysis at 6:30 AM UTC every Monday
+    - cron: "30 6 * * 1"
+  workflow_dispatch:
+
+# Ensure only one CodeQL workflow runs at a time
+concurrency:
+  group: "codeql-${{ github.ref }}"
+  cancel-in-progress: true
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["javascript"]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Use only 'javascript' to cover both JavaScript and TypeScript
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          # Fetch enough history for CodeQL to analyze changes effectively
+          fetch-depth: 0
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v1
+        with:
+          bun-version: latest
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          # Use the custom configuration file for detailed analysis settings
+          config-file: ./.github/codeql/codeql-config.yml
+
+      # Install dependencies to help CodeQL understand the codebase better
+      - name: Install dependencies
+        run: |
+          bun install --frozen-lockfile
+
+      # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+      #   If the Autobuild fails above, remove it and uncomment the following three lines.
+      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+      # - run: |
+      #     echo "Run, Build Application using script"
+      #     ./location_of_script_within_repo/buildscript.sh
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"
+
+      # Upload results as artifacts for debugging if needed
+      - name: Upload CodeQL results
+        uses: actions/upload-artifact@v4
+        if: failure()
+        with:
+          name: codeql-results-${{ matrix.language }}
+          path: ${{ runner.temp }}/codeql_databases/
+          retention-days: 5