From d96c24a5ea78053886a15a69864a950c0a6c08bd Mon Sep 17 00:00:00 2001 From: Jonathan Haas Date: Thu, 21 May 2026 13:40:52 -0700 Subject: [PATCH] ci: forbid github code scanning uploads --- .github/contracts/engineering-practices.yml | 3 +++ .github/scripts/audit-engineering-practices.rb | 4 ++-- test/audit_engineering_practices_test.rb | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/contracts/engineering-practices.yml b/.github/contracts/engineering-practices.yml index 20c5681..f56bf2c 100644 --- a/.github/contracts/engineering-practices.yml +++ b/.github/contracts/engineering-practices.yml @@ -214,6 +214,9 @@ live_audit: forbidden_workflow_queries: codeql_action_workflows: 'github/codeql-action org:evalops path:.github/workflows' codeql_named_workflows: 'codeql org:evalops path:.github/workflows' + code_scanning_api_workflows: 'code-scanning/sarifs org:evalops path:.github/workflows' + sarif_upload_workflows: 'upload-sarif org:evalops path:.github/workflows' + security_events_write_workflows: '"security-events: write" org:evalops path:.github/workflows' commands: local_contract_check: "ruby .github/scripts/audit-engineering-practices.rb --contract-only" live_report: "ruby .github/scripts/audit-engineering-practices.rb --json-output engineering-practices-audit.json --markdown-output engineering-practices-audit.md" diff --git a/.github/scripts/audit-engineering-practices.rb b/.github/scripts/audit-engineering-practices.rb index f0d79fc..e447e9d 100644 --- a/.github/scripts/audit-engineering-practices.rb +++ b/.github/scripts/audit-engineering-practices.rb @@ -662,7 +662,7 @@ def build_findings(report) findings << { "practice" => "security-slo", "severity" => "high", - "message" => "CodeQL workflow references were found in checked-in workflow paths.", + "message" => "CodeQL or GitHub Code Scanning workflow references were found in checked-in workflow paths.", "matches" => workflow_matches } end @@ -798,7 +798,7 @@ def markdown_report(report) observed = no_codeql["observed_settings"] || {} lines << "- No-CodeQL config: `#{no_codeql["security_configuration_id"] || "unknown"}` default=`#{no_codeql["default_for_new_repos"] || "unknown"}` code_scanning_default_setup=`#{observed["code_scanning_default_setup"] || "unknown"}` assigned_repos=`#{no_codeql["assigned_repository_count"] || 0}`" workflow_match_count = Array(no_codeql["forbidden_workflow_queries"]).sum { |query| Array(query["matches"]).length } - lines << "- CodeQL workflow matches: `#{workflow_match_count}`" + lines << "- CodeQL/Code Scanning workflow matches: `#{workflow_match_count}`" lines << "- CodeQL required-check matches: `#{Array(no_codeql["required_check_matches"]).length}`" Array(report.dig("live", "issue_queries")).each do |query| lines << "- #{query["key"]}: `#{query["total_count"]}`" diff --git a/test/audit_engineering_practices_test.rb b/test/audit_engineering_practices_test.rb index 295aaa6..3f902af 100644 --- a/test/audit_engineering_practices_test.rb +++ b/test/audit_engineering_practices_test.rb @@ -86,7 +86,7 @@ def test_codeql_drift_is_reported_without_fetching_code_scanning_alerts assert_equal "attention", report.fetch("status") findings = report.fetch("findings") assert findings.any? { |finding| finding.fetch("message").include?("CodeQL/default code-scanning baseline drifted") } - assert findings.any? { |finding| finding.fetch("message").include?("CodeQL workflow references") } + assert findings.any? { |finding| finding.fetch("message").include?("CodeQL or GitHub Code Scanning workflow references") } assert findings.any? { |finding| finding.fetch("message").include?("CodeQL appears in branch protection") } assert_equal 1, report.dig("live", "no_codeql", "required_check_matches").length end