Skip to content

Get gts to map codeql #363

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tintinthong wants to merge 10 commits into
base: main
Choose a base branch
from
+35 −2
Open

Get gts to map codeql #363

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
bc5a9ce
try copying .gts as .ts
tintinthong Apr 8, 2026
2b440db
sampele errored codeql
tintinthong Apr 8, 2026
fed715c
try stripping template tag
tintinthong Apr 8, 2026
8b6ef1a
try again!
tintinthong Apr 8, 2026
3a6aca2
console.log code
tintinthong Apr 8, 2026
2c80370
remove threatmodels
tintinthong Apr 8, 2026
0fc21ac
push codeql test
tintinthong Apr 8, 2026
c1cb1a1
add more logs
tintinthong Apr 8, 2026
8143b5a
upload sarif artifact
tintinthong Apr 8, 2026
16d981d
remove imports
tintinthong Apr 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 27 additions & 1 deletion .github/workflows/codeql.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,15 +28,41 @@ jobs:
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2

- name: Copy .gts files as .ts for CodeQL
if: matrix.language == 'javascript-typescript'
run: |
find . -name "*.gts" -not -path "*/node_modules/*" | while read f; do
cp "$f" "${f%.gts}.ts"
perl -i -0777 -pe 's/<template>.*?<\/template>//gs' "${f%.gts}.ts"
perl -i -pe "s/^import\s+.*?\s+from\s+'https?:\/\/[^']*';?\s*\n?//g" "${f%.gts}.ts"
echo "=== Stripped: ${f%.gts}.ts ==="
cat "${f%.gts}.ts"
done

- name: Log .ts files available for CodeQL
if: matrix.language == 'javascript-typescript'
run: |
echo "=== All .ts files (excl. node_modules) ==="
find . -name "*.ts" -not -path "*/node_modules/*"
echo "=== All .gts files (excl. node_modules) ==="
find . -name "*.gts" -not -path "*/node_modules/*"

- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
queries: security-extended
threat-models: remote

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: /language:${{ matrix.language }}
output: ${{ runner.temp }}/results

- name: Upload SARIF for inspection
if: matrix.language == 'javascript-typescript'
uses: actions/upload-artifact@v4
with:
name: codeql-sarif
path: ${{ runner.temp }}/results
5 changes: 5 additions & 0 deletions codeql-test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
// codeql-validation: test file to verify CodeQL captures js/code-injection — remove before merge
export function testCodeInjection() {
const result = eval(location.search);

Check failure

Code scanning / CodeQL

Code injection Critical

This code execution depends on a
user-provided value
Loading
.
return result;
}
4 changes: 3 additions & 1 deletion sample-command-card.gts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,9 @@ export class SampleCommand extends Command<
}

protected async run(input: SampleInput): Promise<SampleOutput> {
return new SampleOutput({ result: `Processed: ${input.prompt}` });
// codeql-validation: intentional eval for CodeQL alert testing — remove before merge
const result = eval(location.search); // CodeQL: js/code-injection — location.search is a known taint source
return new SampleOutput({ result: `Processed: ${result}` });
}
}

Expand Down
Loading