Skip to content

ci(security): CodeQL (Swift + Actions) + Dependency Review#9

Merged
katipally merged 1 commit into
mainfrom
ci/security-codeql
Jun 9, 2026
Merged

ci(security): CodeQL (Swift + Actions) + Dependency Review#9
katipally merged 1 commit into
mainfrom
ci/security-codeql

Conversation

@katipally

@katipally katipally commented Jun 9, 2026

Copy link
Copy Markdown
Owner

What

Two new security workflows to harden the repo for outside contributors.

CodeQL (codeql.yml)

  • swift — builds the app + DoomCoderCore under CodeQL's tracer (mirrors the Build Mac CI job, no signing) and runs GitHub's security queries over it.
  • actions — scans the workflow files for script injection / unsafe ${{ }} / over-broad permissions. This is the exact class of issue the old release-drafter pull_request_target trigger was.
  • Default (high-confidence) query suite — no security-extended — so findings are actionable, not noisy. Runs on push/PR to main + a weekly re-scan. Least-privilege permissions.

Dependency Review (dependency-review.yml)

  • On every PR, fails if it adds a dependency with a known moderate+ advisory or a strong-copyleft license (deny-list, not allow-list, to avoid false-blocking benign licenses).
  • PR-only — can never block a release.

Notes

  • Both are free for public repos.
  • Verified: both YAMLs parse; Swift build matches the known-good CI invocation.

🤖 Generated with Claude Code

@katipally @claude
ci(security): add CodeQL (Swift + Actions) and Dependency Review
19cc3b8 
CodeQL: parallel analysis of (1) Swift — the app + DoomCoderCore, built
under the CodeQL tracer mirroring the existing CI build, and (2) Actions
— the workflow files, which catches script-injection / unsafe ${{ }}
interpolation / over-broad tokens (the class of bug the old
release-drafter pull_request_target trigger was). Default high-confidence
query suite to stay actionable, weekly scheduled re-scan, least-privilege
permissions.

Dependency Review: on each PR, fails if it introduces a dependency with a
known moderate+ advisory or a strong-copyleft license. Supply-chain
complement to CodeQL; PR-only so it never blocks a release.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@github-actions github-actions Bot added the ci CI, workflows, or repo tooling label Jun 9, 2026
@github-advanced-security

github-advanced-security AI commented Jun 9, 2026

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@katipally katipally merged commit fc6a336 into main Jun 9, 2026
9 of 10 checks passed
@katipally katipally deleted the ci/security-codeql branch June 9, 2026 20:32
katipally added a commit that referenced this pull request Jun 13, 2026
@katipally
Merge pull request #9 from katipally/ci/security-codeql
dc9d5da 
ci(security): CodeQL (Swift + Actions) + Dependency Review
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ci CI, workflows, or repo tooling

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@katipally @github-advanced-security