mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 22:41:31 +00:00
cowork
02f37420fa
Triggered by Reddit feedback (sysadmin user ran Aikido against the
public repo, reported critical command/file-inclusion findings, won't
deploy without seeing scanner-public credibility). Aikido's free tier
gates on OSI-approved licenses, which excludes BSL 1.1; CodeQL is
GitHub-native and free for public repos regardless of license.
Why CodeQL on top of the existing security-deep-scan.yml gosec /
osv-scanner / trivy / ZAP / semgrep / schemathesis / nuclei / testssl:
gosec is single-file pattern matching; CodeQL does interprocedural
taint tracking that catches the same vulnerability classes when input
is laundered through several function calls or struct fields. SARIF
results land in the public Security tab where any operator/security
team auditing certctl can see scan history and triage state without
asking.
Workflow shape
=================
- Triggers: push to master, PR to master, weekly Sun 06:00 UTC
- Matrix: go + javascript-typescript
- Query suite: security-and-quality (security + maintainability,
comparable to Aikido / SonarCloud scope)
- Go version: 1.25.9 (matches ci.yml + release.yml + security-
deep-scan.yml)
- SARIF auto-uploads via codeql-action/analyze@v3 (implicit;
populates Security → Code scanning tab)
- permissions: contents:read + security-events:write + actions:read
- Fail-fast: false (Go and JS analysis run independently)
- Timeout: 30min
Suppressions for known-intentional findings (e.g., SSH connector's
InsecureIgnoreHostKey, ACME script-callout shell-out) get inline
codeql[<rule-id>] comments OR config-pack tweaks in a follow-up
commit, with the threat-model justification cited so external
readers see why the finding is intentional.
Verification
=================
- python3 yaml.safe_load(.github/workflows/codeql.yml): OK
- First run will surface in the Security tab on next push to master
Bundle: security/codeql-baseline