Skip to content

feat:Add CodeQL analysis workflow configuration#322

Open
msslulu wants to merge 8 commits into
opentiny:developfrom
msslulu:feat/codeSecurity
Open

feat:Add CodeQL analysis workflow configuration#322
msslulu wants to merge 8 commits into
opentiny:developfrom
msslulu:feat/codeSecurity

Conversation

@msslulu

@msslulu msslulu commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

PR漏洞扫描配置,增量扫描,已验证

Summary by CodeRabbit

  • Chores
    • Added automated CodeQL security scanning for Java/Kotlin and Actions workflows.
    • Scans run on changes to the development branch, pull requests, and weekly on a scheduled basis.
    • Excludes build outputs, test sources, and generated code from analysis.

msslulu added 2 commits July 7, 2026 04:36
This workflow file configures CodeQL analysis for the repository, specifying triggers, jobs, and steps for analyzing various programming languages.
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 108a4957-e9b9-4d70-8a52-e7fc3b4e85c5

📥 Commits

Reviewing files that changed from the base of the PR and between bf688fe and c76bf9a.

📒 Files selected for processing (1)
  • .github/workflows/codeql.yml
✅ Files skipped from review due to trivial changes (1)
  • .github/workflows/codeql.yml

Walkthrough

Adds a GitHub Actions CodeQL Advanced workflow triggered on pushes and pull requests to develop and on a weekly schedule, with a matrix analyzing actions and java-kotlin, plus a CodeQL configuration file excluding build, test, and generated-source directories from scanning.

Changes

CodeQL Workflow Setup

Layer / File(s) Summary
CodeQL configuration and path exclusions
.github/codeql/codeql-config.yml
Adds paths-ignore entries excluding target/, src/test/, and generated-sources/ from CodeQL scanning.
CodeQL Advanced workflow definition
.github/workflows/codeql.yml
Defines triggers, a matrix for actions and java-kotlin, dynamic runner selection and permissions, CodeQL initialization, conditional manual-build handling, and final analysis with a language-based category.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Sequence Diagram(s)

sequenceDiagram
  participant GitHubActions
  participant CodeQLInit
  participant ManualBuild
  participant CodeQLAnalyze
  GitHubActions->>CodeQLInit: initialize with matrix language, build-mode, and config file
  CodeQLInit->>ManualBuild: run manual build commands when build-mode is manual
  ManualBuild->>CodeQLAnalyze: provide completed build or fail on placeholders
  CodeQLInit->>CodeQLAnalyze: analyze with language category
Loading

Poem

A rabbit scans the code with glee,
No bugs shall hide from CodeQL’s eye 🐇🔍
Weekly hops, push, and PR too,
Ignoring targets, tests slip through,
Hopping safe beneath a clean CI sky!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly describes the main change: adding CodeQL analysis workflow configuration.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 8

🧹 Nitpick comments (2)
.github/workflows/codeql.yml (2)

59-60: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Set persist-credentials: false on the checkout step.

The actions/checkout@v4 action defaults to persist-credentials: true, which leaves a GitHub App token in the local git config for the duration of the job. Since this workflow only reads code for analysis and never pushes, disabling credential persistence reduces the attack surface if the runner is compromised.

🔒️ Disable credential persistence
 - name: Checkout repository
   uses: actions/checkout@v4
+  with:
+    persist-credentials: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql.yml around lines 59 - 60, The checkout step in the
CodeQL workflow currently leaves credentials persisted by default; update the
existing actions/checkout@v4 step to disable credential persistence. Modify the
Checkout repository step in the workflow so it uses the checkout action without
storing the GitHub token in git config, since this job only analyzes code and
never pushes changes.

Source: Linters/SAST tools


88-97: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Manual build step will always fail — consider providing actual build commands.

The Run manual build steps step unconditionally exit 1 when build-mode is manual. Currently the matrix only uses autobuild and none, so this step is skipped. However, if someone switches java-kotlin to manual in the future, the workflow will fail with a placeholder error instead of building the project. Consider replacing the placeholder with the actual Maven build command (mvn -B compile or similar) or removing the step to avoid confusion.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql.yml around lines 88 - 97, The manual build
placeholder in the workflow will fail whenever `matrix.build-mode` is set to
`manual`; update the `Run manual build steps` job step to use the real build
logic instead of the dummy `exit 1`. Use the workflow’s existing build-mode
handling to either run the appropriate Maven compile command for `java-kotlin`
in this step or remove the step if manual mode is not supported, so the
`codeql.yml` workflow doesn’t break later when `manual` is enabled.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/codeql-config.yml:
- Around line 1-5: The CodeQL config file is in the wrong directory and is being
treated as a workflow file, so move the existing codeql-config.yml from
.github/workflows to .github/codeql to match the path used by the codeql
workflow and avoid actionlint parsing errors. Keep the contents unchanged; only
relocate the file so the CodeQL init step can find it and the .github/workflows
directory contains only actual workflow definitions.

In @.github/workflows/codeql.yml:
- Around line 69-74: The Initialize CodeQL step in the codeql workflow points
`config-file` at a non-existent absolute path. Update the
`github/codeql-action/init@v4` configuration to reference the
repository-relative location without the leading slash, and make sure it matches
where `codeql-config.yml` will live after the move to `.github/codeql/`.

In `@base/src/main/java/com/tinyengine/it/test/VulnerableTest.java`:
- Around line 75-86: The /file-read endpoint in VulnerableTest is building a
filesystem path directly from the filename request parameter, which allows path
traversal. Update fileRead(String filename) to stop concatenating raw input into
new File(...) and instead validate and normalize the requested path against the
intended base directory before opening it with FileReader; reject any input that
escapes /var/data or use a fixed allowlist of safe filenames.
- Around line 52-63: The ssrf endpoint in VulnerableTest is directly opening an
HttpURLConnection from untrusted urlParam, which makes the route exploitable for
SSRF. Fix ssrf by removing direct URL construction from user input or by
enforcing a strict allowlist of permitted hosts/schemes before creating the URL
and opening the connection, and ensure any outbound request goes through a
validated helper rather than raw new URL(...) / openConnection() calls.
- Around line 37-48: The commandInjection endpoint is directly passing
user-controlled filename into Runtime.exec, creating a command injection risk.
Update commandInjection to stop building a shell command from raw request data;
instead use a safe ProcessBuilder/argument list with fixed command tokens and
validate/whitelist filename before use. Keep the fix localized to the
commandInjection method and ensure no user input reaches Runtime.exec as a
single concatenated string.
- Around line 67-71: The issue is that `VulnerableTest.hardcodedCredential()`
and the `DriverManager.getConnection` usage contain plaintext credentials in
source. Remove the hardcoded `password` and `apiKey` values and replace them
with test-safe placeholders or injected values, and either move this class into
the test source set or refactor the connection setup so
`DriverManager.getConnection` does not embed secrets. Keep the fix localized to
`hardcodedCredential()` and the connection code path flagged by the scanner.
- Around line 20-33: The sqlInjection endpoint in VulnerableTest is exposing a
live SQL injection path by taking productId and concatenating it into a JDBC
query executed through Statement. Move this controller out of the main source
set or guard it behind a non-production profile/conditional so
`@GetMapping`("/sql-injection") is not deployed in production, and keep the
vulnerable query only in the isolated test fixture used for CodeQL validation.
- Around line 16-17: The VulnerableTest controller is currently in the
production classpath and gets picked up by Spring component scanning, exposing
dangerous endpoints at runtime. Move the VulnerableTest class out of
base/src/main/java into test-only sources, or guard the `@RestController` with a
non-production profile so it is not registered in production. Keep the fix
scoped to the VulnerableTest type and its Spring annotations so the app module
no longer exposes those endpoints.

---

Nitpick comments:
In @.github/workflows/codeql.yml:
- Around line 59-60: The checkout step in the CodeQL workflow currently leaves
credentials persisted by default; update the existing actions/checkout@v4 step
to disable credential persistence. Modify the Checkout repository step in the
workflow so it uses the checkout action without storing the GitHub token in git
config, since this job only analyzes code and never pushes changes.
- Around line 88-97: The manual build placeholder in the workflow will fail
whenever `matrix.build-mode` is set to `manual`; update the `Run manual build
steps` job step to use the real build logic instead of the dummy `exit 1`. Use
the workflow’s existing build-mode handling to either run the appropriate Maven
compile command for `java-kotlin` in this step or remove the step if manual mode
is not supported, so the `codeql.yml` workflow doesn’t break later when `manual`
is enabled.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4969a368-e7ad-4fe8-90e9-d3f059c491d5

📥 Commits

Reviewing files that changed from the base of the PR and between 0045f62 and ca92133.

📒 Files selected for processing (3)
  • .github/workflows/codeql-config.yml
  • .github/workflows/codeql.yml
  • base/src/main/java/com/tinyengine/it/test/VulnerableTest.java

Comment thread .github/workflows/codeql-config.yml
Comment thread .github/workflows/codeql.yml Outdated
Comment thread base/src/main/java/com/tinyengine/it/test/VulnerableTest.java Outdated
Comment thread base/src/main/java/com/tinyengine/it/test/VulnerableTest.java Outdated
Comment thread base/src/main/java/com/tinyengine/it/test/VulnerableTest.java Outdated
Comment thread base/src/main/java/com/tinyengine/it/test/VulnerableTest.java Outdated
Comment thread base/src/main/java/com/tinyengine/it/test/VulnerableTest.java Outdated
Comment thread base/src/main/java/com/tinyengine/it/test/VulnerableTest.java Outdated
Comment thread base/src/main/java/com/tinyengine/it/test/VulnerableTest.java Fixed
Comment thread base/src/main/java/com/tinyengine/it/test/VulnerableTest.java Fixed
Comment thread base/src/main/java/com/tinyengine/it/test/VulnerableTest.java Fixed
Comment thread base/src/main/java/com/tinyengine/it/test/VulnerableTest.java Fixed
Comment thread base/src/main/java/com/tinyengine/it/test/VulnerableTest.java Fixed
Comment thread base/src/main/java/com/tinyengine/it/test/VulnerableTest.java Fixed
Comment thread base/src/main/java/com/tinyengine/it/test/VulnerableTest.java Fixed
Comment thread base/src/main/java/com/tinyengine/it/test/VulnerableTest.java Fixed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants