You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CodeQL security analysis is healthy for JavaScript/TypeScript, Rust, Python, and GitHub Actions, and the original high-severity path-injection alert is fixed. The remaining gaps are:
CodeQL is not currently a required merge protection on main
the repository's native Swift code is not yet accepted by the main code-scanning configuration
the separate Code Quality product needs an explicit billing decision before its 2026-07-20 general availability
have a repository administrator create the active ruleset — CodeQL merge gate ruleset 19123333, active on main since 2026-07-17T20:40Z
verify a pull request is blocked until CodeQL completes and when it reports a new High/Critical finding — rule-suites show code_scanning: fail ("still expecting N results from CodeQL") while analyses are in flight (e.g. suites 3378076322, 3378235633), and pass once uploaded (suite 3378375304 for PR fix(security): finalize CodeQL enforcement — swift audit job, gate parity, Code Quality decision (#3285) #3452); threshold high_or_higher gates new High/Critical findings
Add Swift CodeQL coverage
evaluate default setup: it cannot generate the intentionally untracked Xcode project before Swift autobuild
verify Actions, JavaScript/TypeScript, Python, Rust, and Swift all initialize and run queries; run 29515551225 completed the Swift build and extracted 830,387 AST nodes
have a repository administrator disable default setup so advanced SARIF uploads are accepted — default setup not-configured, CODEQL_ADVANCED_UPLOAD=always, all four gated categories uploading from the advanced workflow
Review the separate Code Quality analysis and retain or disable it intentionally based on findings and cost
inventory: 89 open findings (1 error, 17 warnings, 71 notes) across JavaScript/TypeScript and Python; latest run 29514717094 succeeded
identify non-duplicate value: finding #4623 is a real Python syntax error at marketplace/plugins/pptx-generator/skills/pptx-generator/cookbook/carousels/quote-slide.py:88
document billing change: GitHub says Actions, active-committer, and AI-credit charges begin 2026-07-20
disable before general availability unless the organization explicitly approves the product costs — no approval on record; findings snapshotted (85), the one error-severity finding fixed in PR fix(security): finalize CodeQL enforcement — swift audit job, gate parity, Code Quality decision (#3285) #3452, then PATCH /repos/OpenCoven/coven-cave/code-quality/setup state=not-configured on 2026-07-18 (verified not-configured, AI findings disabled) ahead of the 2026-07-20 GA billing date
Problem
CodeQL security analysis is healthy for JavaScript/TypeScript, Rust, Python, and GitHub Actions, and the original high-severity path-injection alert is fixed. The remaining gaps are:
mainLatest confirmed security run: https://github.com/OpenCoven/coven-cave/actions/runs/29514716957
Subtasks
0cdb8ebb7913ab975c79aa9ea2ac8eb2ca11d91e; post-merge main CodeQL run 29514716957 succeeded and alert chore(release): stamp v0.0.39 #122 changed tofixedat 2026-07-16T16:16:24Zmain, toolCodeQL,high_or_higher, alerts thresholdnonemainsince 2026-07-17T20:40Zcode_scanning: fail("still expecting N results from CodeQL") while analyses are in flight (e.g. suites 3378076322, 3378235633), andpassonce uploaded (suite 3378375304 for PR fix(security): finalize CodeQL enforcement — swift audit job, gate parity, Code Quality decision (#3285) #3452); thresholdhigh_or_highergates new High/Critical findingsxcodebuildnot-configured,CODEQL_ADVANCED_UPLOAD=always, all four gated categories uploading from the advanced workflowmainmainanalyses made the merge gate unsatisfiable — fixed in PR fix(security): finalize CodeQL enforcement — swift audit job, gate parity, Code Quality decision (#3285) #3452: stale analyses purged, swift restored as a weekly/dispatch audit job (upload: never, step-summary + SARIF artifact), gate-parity invariant documented indocs/codeql.mdmarketplace/plugins/pptx-generator/skills/pptx-generator/cookbook/carousels/quote-slide.py:88PATCH /repos/OpenCoven/coven-cave/code-quality/setup state=not-configuredon 2026-07-18 (verifiednot-configured, AI findings disabled) ahead of the 2026-07-20 GA billing dateAcceptance criteria
mainscan.