Skip to content

Harden CodeQL enforcement and native coverage #3285

Description

@CompleteDotTech

Problem

CodeQL security analysis is healthy for JavaScript/TypeScript, Rust, Python, and GitHub Actions, and the original high-severity path-injection alert is fixed. The remaining gaps are:

  • CodeQL is not currently a required merge protection on main
  • the repository's native Swift code is not yet accepted by the main code-scanning configuration
  • the separate Code Quality product needs an explicit billing decision before its 2026-07-20 general availability

Latest confirmed security run: https://github.com/OpenCoven/coven-cave/actions/runs/29514716957

Subtasks

  • Fix code-scanning alert chore(release): stamp v0.0.39 #122 without changing valid familiar workspace behavior
    • keep the strict familiar-id allow-list
    • pass a CodeQL-recognized sanitized local into workspace resolution
    • add traversal-rejection and declared-workspace regression coverage
    • verified fixed after PR Fix CodeQL familiar contract path alert #3286 merged as 0cdb8ebb7913ab975c79aa9ea2ac8eb2ca11d91e; post-merge main CodeQL run 29514716957 succeeded and alert chore(release): stamp v0.0.39 #122 changed to fixed at 2026-07-16T16:16:24Z
  • Add CodeQL merge protection for High and Critical findings
    • preserve and record the existing required CI checks
    • define the repository ruleset: main, tool CodeQL, high_or_higher, alerts threshold none
    • have a repository administrator create the active ruleset — CodeQL merge gate ruleset 19123333, active on main since 2026-07-17T20:40Z
    • verify a pull request is blocked until CodeQL completes and when it reports a new High/Critical finding — rule-suites show code_scanning: fail ("still expecting N results from CodeQL") while analyses are in flight (e.g. suites 3378076322, 3378235633), and pass once uploaded (suite 3378375304 for PR fix(security): finalize CodeQL enforcement — swift audit job, gate parity, Code Quality decision (#3285) #3452); threshold high_or_higher gates new High/Critical findings
  • Add Swift CodeQL coverage
  • Review the separate Code Quality analysis and retain or disable it intentionally based on findings and cost
    • inventory: 89 open findings (1 error, 17 warnings, 71 notes) across JavaScript/TypeScript and Python; latest run 29514717094 succeeded
    • identify non-duplicate value: finding #4623 is a real Python syntax error at marketplace/plugins/pptx-generator/skills/pptx-generator/cookbook/carousels/quote-slide.py:88
    • document billing change: GitHub says Actions, active-committer, and AI-credit charges begin 2026-07-20
    • disable before general availability unless the organization explicitly approves the product costs — no approval on record; findings snapshotted (85), the one error-severity finding fixed in PR fix(security): finalize CodeQL enforcement — swift audit job, gate parity, Code Quality decision (#3285) #3452, then PATCH /repos/OpenCoven/coven-cave/code-quality/setup state=not-configured on 2026-07-18 (verified not-configured, AI findings disabled) ahead of the 2026-07-20 GA billing date

Acceptance criteria

  • Alert chore(release): stamp v0.0.39 #122 is fixed or closed with evidence from a post-merge main scan.
  • Pull requests cannot merge while CodeQL reports a new High or Critical finding or has not completed.
  • All currently scanned languages remain covered.
  • Swift coverage is enabled, or a documented blocker and follow-up implementation plan is recorded.
  • Changes are delivered through scoped PRs with relevant tests and remote CodeQL verification.

Metadata

Metadata

Labels

P1Notable frictioncodeqlCodeQL analysis, alerts, configuration, and coverageenhancementNew feature or requestsecuritySecurity hardening, vulnerabilities, and protective controls

Type

Fields

No fields configured for Bug.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions