ci: forbid GitHub code scanning uploads

.github/contracts/engineering-practices.yml

@@ -214,6 +214,9 @@ live_audit:
     forbidden_workflow_queries:
       codeql_action_workflows: 'github/codeql-action org:evalops path:.github/workflows'
       codeql_named_workflows: 'codeql org:evalops path:.github/workflows'
+      code_scanning_api_workflows: 'code-scanning/sarifs org:evalops path:.github/workflows'
+      sarif_upload_workflows: 'upload-sarif org:evalops path:.github/workflows'
+      security_events_write_workflows: '"security-events: write" org:evalops path:.github/workflows'
 commands:
   local_contract_check: "ruby .github/scripts/audit-engineering-practices.rb --contract-only"
   live_report: "ruby .github/scripts/audit-engineering-practices.rb --json-output engineering-practices-audit.json --markdown-output engineering-practices-audit.md"

.github/scripts/audit-engineering-practices.rb

@@ -662,7 +662,7 @@ def build_findings(report)
       findings << {
         "practice" => "security-slo",
         "severity" => "high",
-        "message" => "CodeQL workflow references were found in checked-in workflow paths.",
+        "message" => "CodeQL or GitHub Code Scanning workflow references were found in checked-in workflow paths.",
         "matches" => workflow_matches
       }
     end
@@ -798,7 +798,7 @@ def markdown_report(report)
     observed = no_codeql["observed_settings"] || {}
     lines << "- No-CodeQL config: `#{no_codeql["security_configuration_id"] || "unknown"}` default=`#{no_codeql["default_for_new_repos"] || "unknown"}` code_scanning_default_setup=`#{observed["code_scanning_default_setup"] || "unknown"}` assigned_repos=`#{no_codeql["assigned_repository_count"] || 0}`"
     workflow_match_count = Array(no_codeql["forbidden_workflow_queries"]).sum { |query| Array(query["matches"]).length }
-    lines << "- CodeQL workflow matches: `#{workflow_match_count}`"
+    lines << "- CodeQL/Code Scanning workflow matches: `#{workflow_match_count}`"
     lines << "- CodeQL required-check matches: `#{Array(no_codeql["required_check_matches"]).length}`"
     Array(report.dig("live", "issue_queries")).each do |query|
       lines << "- #{query["key"]}: `#{query["total_count"]}`"

test/audit_engineering_practices_test.rb

@@ -86,7 +86,7 @@ def test_codeql_drift_is_reported_without_fetching_code_scanning_alerts
     assert_equal "attention", report.fetch("status")
     findings = report.fetch("findings")
     assert findings.any? { |finding| finding.fetch("message").include?("CodeQL/default code-scanning baseline drifted") }
-    assert findings.any? { |finding| finding.fetch("message").include?("CodeQL workflow references") }
+    assert findings.any? { |finding| finding.fetch("message").include?("CodeQL or GitHub Code Scanning workflow references") }
     assert findings.any? { |finding| finding.fetch("message").include?("CodeQL appears in branch protection") }
     assert_equal 1, report.dig("live", "no_codeql", "required_check_matches").length
   end