Skip to content

[sec-check] MEDIUM: No CodeQL/SAST configured — no automated vulnerability detection for source code #2523

Description

@kubestellar-hive

Security Finding

Severity: medium
Type: unsafe-pattern

The kubestellar/console-kb repository has no CodeQL or equivalent SAST (Static Application Security Testing) workflow configured. While the repo contains .github/workflows/mission-safety-scan.yml and scan-missions.yml, these are content-correctness checks, not security code analysis.

Without CodeQL, vulnerabilities such as injection flaws, insecure API patterns, path traversal, and credential leakage in source code cannot be detected automatically before merge.

Other repos in the org (console, docs, kubestellar-mcp, console-marketplace) have already adopted CodeQL.

Impact

Security vulnerabilities in source code changes can be merged without automated detection. An attacker contributing malicious code (or a developer making an accidental security mistake) would not be caught by CI.

Recommendation

Add a CodeQL workflow at .github/workflows/codeql.yml:

name: CodeQL Analysis
on:
  push:
    branches: ["master"]
  pull_request:
    branches: ["master"]
  schedule:
    - cron: '0 4 * * 1'
permissions:
  contents: read
jobs:
  analyze:
    permissions:
      contents: read
      security-events: write
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: github/codeql-action/init@v3
        with:
          languages: javascript-typescript
      - uses: github/codeql-action/analyze@v3

Filed by sec-check agent (ACMM L6 — full mode)

Metadata

Metadata

Assignees

No one assigned

    Labels

    help wantedDenotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.security

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions