Skip to content

ci: enable CodeQL static analysis#15

Merged
marinsalinas merged 1 commit into
mainfrom
ci/codeql
Apr 26, 2026
Merged

ci: enable CodeQL static analysis#15
marinsalinas merged 1 commit into
mainfrom
ci/codeql

Conversation

@marinsalinas
Copy link
Copy Markdown
Owner

@marinsalinas marinsalinas commented Apr 26, 2026

Summary

Enables GitHub CodeQL semantic static analysis on every push to `main`, every PR, and weekly as a backstop for upstream query updates. Findings will appear under Security → Code scanning.

Why this is worth it for hevy-cli specifically

Beyond generic OSS hygiene, this CLI has a few real surfaces that benefit from semantic analysis:

  • User-supplied file paths (`hevy workouts create --file `, `hevy routines create --file `) — path traversal class.
  • API key handling — masking, env var precedence, accidental log inclusion.
  • HTTP URL construction in `HevyClient` — SSRF / URL-injection class.
  • Click argument parsing — input handling on a public-facing surface.

CodeQL's `security-and-quality` query suite covers all of these and more.

Configuration choices

  • Query suite: `security-and-quality` rather than `security-extended`. Broader; surfaces both vulnerability and maintainability findings. Easy to narrow later if noise becomes an issue.
  • Languages: `python` only. No JS/TS/Go in this repo.
  • Schedule: weekly Mondays 07:29 UTC. Off-peak, doesn't fight Dependabot's Monday morning runs.
  • Autobuild step kept even though it's a no-op for pure Python — preserves the canonical CodeQL workflow shape so future native-extension code (e.g., if we add a Rust accelerator) needs zero workflow change.

Bonus cleanup in this PR

  • Adds a CodeQL badge to the README badges row.
  • Adds a "Proactive measures in this repo" section to `SECURITY.md` documenting CodeQL, Dependabot, OIDC + Sigstore, and branch protection. Useful for security researchers landing on the repo.
  • Fixes a stale reference in `SECURITY.md` from the deleted `release.yml` to the consolidated `release-please.yml`.

Test plan

  • Workflow file passes Conventional Commits hook.
  • CI on this branch — should pass (CodeQL is independent of the CI workflow).
  • CodeQL run on this PR — should produce zero high-severity findings, ideally zero findings overall (the codebase is small and well-typed). Any findings will be reviewed inline as PR review comments.

Not in this PR (deferred)

  • Adding CodeQL as a required status check in the branch protection ruleset. Will promote it after a few weeks of clean runs to confirm low false-positive rate.
  • Custom CodeQL config (`.github/codeql/codeql-config.yml`) for excluding test fixtures or adding custom queries. Will add only if defaults turn out to be noisy.

Version bump

This is `ci:` — release-please will not bump the version. Pure infrastructure change, nothing to ship to PyPI.

@marinsalinas
ci: enable CodeQL static analysis with security-and-quality queries
a2210b3 
Adds GitHub's CodeQL semantic analysis on push to main, every PR, and
weekly as a safety net for upstream query updates. Findings appear in
the repo's Security tab. Free for public repos, no Action minutes
budget impact.

Configured with the security-and-quality query suite (broader than
security-extended) so we catch both vulnerability and maintainability
findings — useful surface for a CLI that handles user-supplied file
paths, API keys, and HTTP URLs.

Also:
- Adds a CodeQL badge to the README badges row.
- Documents the existing proactive measures (CodeQL, Dependabot,
  Trusted Publishing, branch protection) in SECURITY.md.
- Fixes a stale reference in SECURITY.md from the deleted release.yml
  to the consolidated release-please.yml.
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Apr 26, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 26, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.02%. Comparing base (92d62b0) to head (a2210b3).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main      #15   +/-   ##
=======================================
  Coverage   82.02%   82.02%           
=======================================
  Files          14       14           
  Lines        1157     1157           
  Branches      112      112           
=======================================
  Hits          949      949           
  Misses        176      176           
  Partials       32       32

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@marinsalinas marinsalinas merged commit 558ec14 into main Apr 26, 2026
11 checks passed
@marinsalinas marinsalinas deleted the ci/codeql branch April 26, 2026 02:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@marinsalinas @github-advanced-security