From bb6c467a52f21fbc4441c18e05a73bc31276852f Mon Sep 17 00:00:00 2001 From: Erik Burton Date: Tue, 24 Feb 2026 15:12:47 -0800 Subject: [PATCH] feat: codeql pack with trusted owners --- .gitignore | 3 + codeql/README.md | 60 +++++++++++++++++++ codeql/actions/codeql-pack.lock.yml | 4 ++ codeql/actions/models/trusted-owner.model.yml | 11 ++++ codeql/actions/qlpack.yml | 7 +++ 5 files changed, 85 insertions(+) create mode 100644 codeql/README.md create mode 100644 codeql/actions/codeql-pack.lock.yml create mode 100644 codeql/actions/models/trusted-owner.model.yml create mode 100644 codeql/actions/qlpack.yml diff --git a/.gitignore b/.gitignore index b366a77b5..1359b51d6 100644 --- a/.gitignore +++ b/.gitignore @@ -51,3 +51,6 @@ bin/ # other caches **/.cache/** + +# codeql +**/.codeql/** diff --git a/codeql/README.md b/codeql/README.md new file mode 100644 index 000000000..c151360b2 --- /dev/null +++ b/codeql/README.md @@ -0,0 +1,60 @@ +# CodeQL + +Custom CodeQL model packs. + +## Development + +1. Install codeql CLI + (https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/setting-up-the-codeql-cli) + +```sh +# https://formulae.brew.sh/cask/codeql +brew install --cask codeql +``` + +### Setup + +`codeql pack init` + +- https://docs.github.com/en/code-security/tutorials/customize-code-scanning/creating-and-working-with-codeql-packs + +## Publishing + +1. `cd` into the directory containing the `qlpack.yml` file. +2. If needed, bump the version in the `qlpack.yml` + 1. Check versions already published at + https://github.com/orgs/smartcontractkit/packages +3. `gh auth token | codeql pack publish --github-auth-stdin` + +## Using + +### CodeQL Default + +As far as I can tell, there is no way to configure specific repos to use +_separately_ published CodeQL model packs. + +You can use model packs declared explicitly in your repository though. If you +wish to do this, follow +[these instructions](https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/manage-your-configuration/editing-your-configuration-of-default-setup#extending-codeql-coverage-with-codeql-model-packs-in-default-setup). + +#### At the org-level + +At the org-level, you can configure all default CodeQL setups to include +specific model packs. See +[these docs](https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/manage-your-configuration/editing-your-configuration-of-default-setup#extending-coverage-for-all-repositories-in-an-organization). + +### CodeQL Advanced + +CodeQL Advanced requires passing in a config or a pack explicitly. + +For example: + +`.github/codeql/codeql-actions.yml` + +```yml +packs: + - smartcontractkit/actions-all-extension@^ + +queries: + - uses: security-extended +``` diff --git a/codeql/actions/codeql-pack.lock.yml b/codeql/actions/codeql-pack.lock.yml new file mode 100644 index 000000000..530042745 --- /dev/null +++ b/codeql/actions/codeql-pack.lock.yml @@ -0,0 +1,4 @@ +--- +lockVersion: 1.0.0 +dependencies: {} +compiled: false diff --git a/codeql/actions/models/trusted-owner.model.yml b/codeql/actions/models/trusted-owner.model.yml new file mode 100644 index 000000000..31f49d770 --- /dev/null +++ b/codeql/actions/models/trusted-owner.model.yml @@ -0,0 +1,11 @@ +# See: https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-actions/#example-extend-the-trusted-actions-publishers-for-the-actions-unpinned-tag-query +# I believe the default configuration is here: https://github.com/github/codeql/blob/main/actions/ql/lib/ext/config/trusted_actions_owner.yml +extensions: + - addsTo: + pack: codeql/actions-all + extensible: trustedActionsOwnerDataModel + data: + - ["smartcontractkit"] + - ["actions"] + - ["github"] + - ["advanced-security"] diff --git a/codeql/actions/qlpack.yml b/codeql/actions/qlpack.yml new file mode 100644 index 000000000..05f011019 --- /dev/null +++ b/codeql/actions/qlpack.yml @@ -0,0 +1,7 @@ +name: smartcontractkit/actions-all-extension +version: 1.0.0 +library: true +extensionTargets: + codeql/actions-all: "*" +dataExtensions: + - models/**/*.yml