Skip to content

ci: enable CodeQL SAST scanning for automated security analysis#5151

Merged
jedel1043 merged 5 commits intoboa-dev:mainfrom
RishavTiwari25:ci/add-codeql-sast
Mar 20, 2026
Merged

ci: enable CodeQL SAST scanning for automated security analysis#5151
jedel1043 merged 5 commits intoboa-dev:mainfrom
RishavTiwari25:ci/add-codeql-sast

Conversation

@RishavTiwari25
Copy link

@RishavTiwari25 RishavTiwari25 commented Mar 19, 2026
edited
Loading

This Pull Request fixes/closes #5150

It changes the following:

  • Implements a new .github/workflows/codeql.yml workflow using GitHub's native github/codeql-action.
  • Enables automated Static Application Security Testing (SAST) specifically configured for rust to scan the main codebase and newly opened PRs for deeply-nested logical security bugs.
  • Acts as a highly resilient read-only observability layer, pushing located execution flaws, out-of-bounds writes, or logic manipulation alerts straight to the GitHub "Security" tab.
  • Operates totally independently from existing tests and cargo commands, utilizing safe contents: read permissions.

@github-actions github-actions bot added Waiting On Review Waiting on reviews from the maintainers C-Builtins PRs and Issues related to builtins/intrinsics C-Actions Pull requests that update Github Actions code labels Mar 19, 2026
@github-actions github-actions bot added this to the v1.0.0 milestone Mar 19, 2026
@github-actions github-actions bot added Waiting On Review Waiting on reviews from the maintainers and removed Waiting On Review Waiting on reviews from the maintainers labels Mar 19, 2026
@github-advanced-security
Copy link

github-advanced-security bot commented Mar 19, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@github-actions
Copy link

github-actions bot commented Mar 19, 2026

Test262 conformance changes

Test result main count PR count difference
Total 52,963 52,963 0
Passed 50,073 50,073 0
Ignored 2,072 2,072 0
Failed 818 818 0
Panics 0 0 0
Conformance 94.54% 94.54% 0.00%

Tested main commit: 055ee0958ce332f3f99af27536a7c6f9a91def27
Tested PR commit: f3e3ffbc8b4057b9d292474a9c725c6f1c7c6f6a
Compare commits: 055ee09...f3e3ffb

@codecov
Copy link

codecov bot commented Mar 19, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.80%. Comparing base (6ddc2b4) to head (27ff871).
⚠️ Report is 902 commits behind head on main.

Additional details and impacted files 
@@             Coverage Diff             @@
##             main    #5151       +/-   ##
===========================================
+ Coverage   47.24%   59.80%   +12.55%     
===========================================
  Files         476      582      +106     
  Lines       46892    63414    +16522     
===========================================
+ Hits        22154    37923    +15769     
- Misses      24738    25491      +753

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

jedel1043
jedel1043 requested changes Mar 19, 2026
View reviewed changes
@github-actions
Copy link

github-actions bot commented Mar 20, 2026
edited
Loading

Test262 conformance changes

Test result main count PR count difference
Total 52,963 52,963 0
Passed 50,126 50,126 0
Ignored 2,025 2,025 0
Failed 812 812 0
Panics 0 0 0
Conformance 94.64% 94.64% 0.00%

Tested main commit: be4cde434e03a9b3b117dc1f39ae394efffdfb54
Tested PR commit: 27ff8711a324a857745791587b66bde50e31a9e0
Compare commits: be4cde4...27ff871

jedel1043
jedel1043 reviewed Mar 20, 2026
View reviewed changes
.github/workflows/codeql.yml Outdated
Comment on lines +28 to +37
uses: actions/checkout@v4

- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
build-mode: none

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
Copy link
Member

@jedel1043 jedel1043 Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use SHA hashes instead of tag versioning

jedel1043
jedel1043 reviewed Mar 20, 2026
View reviewed changes
.github/workflows/codeql.yml Outdated
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
Copy link
Member

@jedel1043 jedel1043 Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should use the sha of v6, not v4

jedel1043
jedel1043 requested changes Mar 20, 2026
View reviewed changes
Copy link
Member

@jedel1043 jedel1043 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing a version bump

@RishavTiwari25
Copy link
Author

RishavTiwari25 commented Mar 20, 2026

Thanks @jedel1043 for the guidance
I have atteched the update.
:)

jedel1043
jedel1043 approved these changes Mar 20, 2026
View reviewed changes
Copy link
Member

@jedel1043 jedel1043 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool, thanks

@jedel1043 jedel1043 added this pull request to the merge queue Mar 20, 2026
Merged via the queue into boa-dev:main with commit 5ea4336 Mar 20, 2026
22 checks passed
@github-actions github-actions bot removed the Waiting On Review Waiting on reviews from the maintainers label Mar 20, 2026
@jedel1043 jedel1043 removed the C-Builtins PRs and Issues related to builtins/intrinsics label Mar 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jedel1043 jedel1043 jedel1043 approved these changes

Assignees

No one assigned

Labels

C-Actions Pull requests that update Github Actions code

Projects

None yet

Milestone

v1.0.0

Development

Successfully merging this pull request may close these issues.

CI: enable CodeQL SAST scanning for automated security analysis

2 participants

@RishavTiwari25 @jedel1043