github-starred/cs249r_book
2
0
Fork 0
mirror of https://github.com/harvard-edge/cs249r_book.git synced 2026-05-07 10:08:50 -05:00
Code Issues 85 Packages Projects Releases 24 Wiki Activity
Files
c7b42e41d897fe1f928b29ae070bfcba2b147277
cs249r_book/.github/codeql/codeql-config.yml
Vijay Janapa Reddi cb3d21c493 chore(codeql): add paths-ignore for vendored bundles, shadow src, audit tools 
Three categories of code surfacing CodeQL alerts that aren't appropriate
to fix in-tree:

- book/quarto/tools/scripts/socratiQ/collaborative-widget-bridge.{js,umd.cjs}:
  minified upstream socratiQ widget bundle. Alerts (XSS, prototype
  pollution, tainted format string, insecure randomness, clear-text
  storage) live in vendored third-party code; report upstream rather
  than patch a build artifact.
- socratiq/src_shadow/**: shadow copy of socratiq client source for the
  shadow-DOM rendering path, parallel to socratiq/js/. Not part of the
  live web surface.
- tools/audit/**: local audit/maintenance scripts that operate on the
  user's own Quarto build output. Regex HTML strip is intentional for
  speed and safe given trusted input.

Default-setup CodeQL picks up .github/codeql/codeql-config.yml on next
weekly scan; pre-existing alerts on these paths still need manual
dismissal in the Security tab.
2026-05-01 17:24:02 -04:00

21 lines
1005 B
YAML
Raw Blame History

name: "MLSysBook CodeQL config"
# Paths excluded from analysis. Each entry below is code that operates on
# trusted local artifacts or is vendored from upstream — out of scope for
# the web-facing security analyses CodeQL applies by default.
paths-ignore:
# Vendored third-party widget bundle (minified output from upstream
# socratiQ collaborative-widget-bridge build). Not hand-edited; alerts
# here should be reported upstream, not patched in-tree.
- "book/quarto/tools/scripts/socratiQ/collaborative-widget-bridge.js"
- "book/quarto/tools/scripts/socratiQ/collaborative-widget-bridge.umd.cjs"
# Shadow copy of socratiq client source — parallel to socratiq/js/, kept
# for the shadow-DOM rendering path. Not part of the live web surface.
- "socratiq/src_shadow/**"
# Local audit/maintenance scripts that operate on the user's own Quarto
# build output. Not web-facing; regex-based HTML strip is intentional
# for speed and is safe given trusted input.
- "tools/audit/**"
Reference in New Issue View Git Blame Copy Permalink