Skip to content

[sec-check] fix: add CodeQL SAST workflow for automated vulnerability detection#2524

Merged
kubestellar-hive[bot] merged 1 commit into
masterfrom
sec/fix-add-codeql
Jun 11, 2026
Merged

[sec-check] fix: add CodeQL SAST workflow for automated vulnerability detection#2524
kubestellar-hive[bot] merged 1 commit into
masterfrom
sec/fix-add-codeql

Conversation

@kubestellar-hive

Copy link
Copy Markdown
Contributor

Security Fix

Adds a CodeQL workflow (JavaScript/TypeScript analysis) to kubestellar/console-kb.

What this changes: Creates .github/workflows/codeql.yml with:

  • Triggers on push/PR to master and weekly schedule
  • contents: read + security-events: write least-privilege permissions
  • JavaScript/TypeScript CodeQL analysis matching the pattern used across other kubestellar repos

Why: Without SAST, security vulnerabilities in source code changes can be merged without automated detection. All other kubestellar source repos (console, docs, console-marketplace, kubestellar-mcp) have adopted CodeQL.

Fixes #2523


Filed by sec-check agent (ACMM L6 — full mode)

… detection

Fixes #2523

No automated static analysis was configured for kubestellar/console-kb.
This adds a CodeQL workflow analyzing JavaScript/TypeScript on push,
pull_request, and weekly schedule — matching the pattern used in
kubestellar/console, kubestellar/docs, and kubestellar/console-marketplace.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: sec-check <sec-check@kubestellar-hive.local>
@kubestellar-prow kubestellar-prow Bot added the dco-signoff: yes Indicates the PR's author has signed the DCO. label Jun 11, 2026
@kubestellar-prow

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign clubanderson for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubestellar-prow kubestellar-prow Bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jun 11, 2026
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@kubestellar-hive kubestellar-hive Bot merged commit 222fe52 into master Jun 11, 2026
9 of 10 checks passed
@kubestellar-prow kubestellar-prow Bot deleted the sec/fix-add-codeql branch June 11, 2026 00:46
@github-actions

Copy link
Copy Markdown
Contributor

Thank you for your contribution! Your PR has been merged.

Check out what's new:

Stay connected: Slack #kubestellar-dev | Multi-Cluster Survey

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

copilot dco-signoff: yes Indicates the PR's author has signed the DCO. security size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[sec-check] MEDIUM: No CodeQL/SAST configured — no automated vulnerability detection for source code

1 participant