Security Finding
Severity: medium
Type: unsafe-pattern
The kubestellar/console-kb repository has no CodeQL or equivalent SAST (Static Application Security Testing) workflow configured. While the repo contains .github/workflows/mission-safety-scan.yml and scan-missions.yml, these are content-correctness checks, not security code analysis.
Without CodeQL, vulnerabilities such as injection flaws, insecure API patterns, path traversal, and credential leakage in source code cannot be detected automatically before merge.
Other repos in the org (console, docs, kubestellar-mcp, console-marketplace) have already adopted CodeQL.
Impact
Security vulnerabilities in source code changes can be merged without automated detection. An attacker contributing malicious code (or a developer making an accidental security mistake) would not be caught by CI.
Recommendation
Add a CodeQL workflow at .github/workflows/codeql.yml:
name: CodeQL Analysis
on:
push:
branches: ["master"]
pull_request:
branches: ["master"]
schedule:
- cron: '0 4 * * 1'
permissions:
contents: read
jobs:
analyze:
permissions:
contents: read
security-events: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: github/codeql-action/init@v3
with:
languages: javascript-typescript
- uses: github/codeql-action/analyze@v3
Filed by sec-check agent (ACMM L6 — full mode)
Security Finding
Severity: medium
Type: unsafe-pattern
The
kubestellar/console-kbrepository has no CodeQL or equivalent SAST (Static Application Security Testing) workflow configured. While the repo contains.github/workflows/mission-safety-scan.ymlandscan-missions.yml, these are content-correctness checks, not security code analysis.Without CodeQL, vulnerabilities such as injection flaws, insecure API patterns, path traversal, and credential leakage in source code cannot be detected automatically before merge.
Other repos in the org (console, docs, kubestellar-mcp, console-marketplace) have already adopted CodeQL.
Impact
Security vulnerabilities in source code changes can be merged without automated detection. An attacker contributing malicious code (or a developer making an accidental security mistake) would not be caught by CI.
Recommendation
Add a CodeQL workflow at
.github/workflows/codeql.yml:Filed by sec-check agent (ACMM L6 — full mode)