Local Codeql scanning + patch findings #204
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
This PR introduces local CodeQL scanning infrastructure and patches security findings identified by the scan. The changes include a complete scanning workflow with scripts, configuration, and remediation of incomplete sanitization issues.
Key changes:
- Added CodeQL scanning infrastructure with configuration file and shell script for local analysis
- Fixed incomplete HTML sanitization by globally replacing angle brackets instead of single-occurrence replacement
- Implemented post-build security patching script to address CodeQL findings in compiled bundles
Reviewed changes
Copilot reviewed 5 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/sanitize.ts | Fixed incomplete sanitization by using global regex replacement for angle brackets |
| scripts/postbuild-secure-patch.mjs | Added post-build script to patch security issues in compiled dist files |
| scripts/codeql-scan.sh | Added comprehensive shell script for running local CodeQL analysis |
| package.json | Integrated security patch into build pipeline and added CodeQL scan commands |
| codeql-config.yml | Added CodeQL configuration with paths and exclusions for scanning |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 6 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 6 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 6 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 6 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: kwinto <90881+kwinto@users.noreply.github.com>
Co-authored-by: kwinto <90881+kwinto@users.noreply.github.com>
Replace rm -rf with cross-platform rimraf package
This PR adds CodeQL scan, fixes a finding in our source code + patches some minor issues in build.
The patches are created by LLM. If we find any problems with this new approach, we should disable the post-build patches all together. They do not fix anything critical or high importance.
Please test