Skip to content

Exclude 3rd party license compliance content from GHAS scanning#11127

Merged
andyfeller merged 1 commit intotrunkfrom
andyfeller/11126-ghas-ignore-3rd-party-source
Jun 16, 2025
Merged

Exclude 3rd party license compliance content from GHAS scanning#11127
andyfeller merged 1 commit intotrunkfrom
andyfeller/11126-ghas-ignore-3rd-party-source

Conversation

@andyfeller
Copy link
Contributor

@andyfeller andyfeller commented Jun 16, 2025
edited
Loading

Fixes #11126
Relates #11047

These changes will cause GitHub Advanced Security to ignore the auto-generated content around 3rd party dependencies used by cli/cli from static code analysis and secret scanning.

For more information:

Copilot AI review requested due to automatic review settings June 16, 2025 17:39
@andyfeller andyfeller requested a review from a team as a code owner June 16, 2025 17:39
@andyfeller andyfeller requested a review from williammartin June 16, 2025 17:39
Copilot AI reviewed Jun 16, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR configures GitHub Advanced Security to skip auto-generated third-party dependency content and associated license files during code scanning and secret scanning.

  • Adds paths-ignore patterns to the CodeQL workflow to exclude third-party/** and license Markdown files.
  • Introduces a secret scanning config file that excludes the same paths from secret scanning.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/codeql.yml Added a config block under the CodeQL analysis step to ignore third-party/** and Markdown license files
.github/secret_scanning.yml New file defining paths-ignore for secret scanning to exclude the third-party directory and license files
Comments suppressed due to low confidence (1)

.github/secret_scanning.yml:1

  • According to GitHub’s secret scanning schema, the config file should include a version field and wrap paths-ignore under the proper top-level key (e.g., push_protection or secret_scanning). Please update the file to match the expected structure.
paths-ignore:

BagToad
BagToad approved these changes Jun 16, 2025
View reviewed changes
Copy link
Member

@BagToad BagToad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks!

@andyfeller andyfeller merged commit 8532997 into trunk Jun 16, 2025
16 of 17 checks passed
@andyfeller andyfeller deleted the andyfeller/11126-ghas-ignore-3rd-party-source branch June 16, 2025 17:45
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Jun 19, 2025
build(deps): update cli/cli to v2.74.2
96ee68f 
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [cli/cli](https://github.com/cli/cli) | patch | `v2.74.1` -> `v2.74.2` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>cli/cli (cli/cli)</summary>

### [`v2.74.2`](https://github.com/cli/cli/releases/tag/v2.74.2): GitHub CLI 2.74.2

[Compare Source](cli/cli@v2.74.1...v2.74.2)

#### What's Changed

##### 🐛 Fixes

- Fix assignees being dropped from `gh pr edit` by [@&#8203;BagToad](https://github.com/BagToad) in cli/cli#11065
- Add accurate context when run rerun fails by [@&#8203;leudz](https://github.com/leudz) in cli/cli#10774
- Avoid requesting MR reviewer twice by [@&#8203;williammartin](https://github.com/williammartin) in cli/cli#11099
- Quote filenames suggested at the end of worklow run by [@&#8203;williammartin](https://github.com/williammartin) in cli/cli#11134
- Fix expected error output of TestRepo/repo-rename-transfer-ownership by [@&#8203;aconsuegra](https://github.com/aconsuegra) in cli/cli#10888

##### 📚 Docs & Chores

- Add instructions for MidnightBSD installation by [@&#8203;laffer1](https://github.com/laffer1) in cli/cli#10699
- docs: update install command for Debian by [@&#8203;MagneticNeedle](https://github.com/MagneticNeedle) in cli/cli#10935
- Fix step order for CodeQL workflow by [@&#8203;BagToad](https://github.com/BagToad) in cli/cli#11145
- Add workflow to check `help wanted` labelling by [@&#8203;williammartin](https://github.com/williammartin) in cli/cli#11105
- Quote workflow conditional by [@&#8203;williammartin](https://github.com/williammartin) in cli/cli#11122
- Fix script path for help-wanted check by [@&#8203;BagToad](https://github.com/BagToad) in cli/cli#11125
- Exclude 3rd party license compliance content from GHAS scanning by [@&#8203;andyfeller](https://github.com/andyfeller) in cli/cli#11127
- Second fix for file not found in help-wanted check by [@&#8203;BagToad](https://github.com/BagToad) in cli/cli#11128
- Ensure gh executes in workflow check script by [@&#8203;williammartin](https://github.com/williammartin) in cli/cli#11133
- Improve help wanted check skipping logic by [@&#8203;BagToad](https://github.com/BagToad) in cli/cli#11135

##### :dependabot: Dependencies

- Bump go to 1.24 by [@&#8203;williammartin](https://github.com/williammartin) in cli/cli#11142
- chore(deps): bump mislav/bump-homebrew-formula-action from 3.2 to 3.4 by [@&#8203;dependabot](https://github.com/dependabot) in cli/cli#11066
- chore(deps): bump github.com/sigstore/protobuf-specs from 0.4.2 to 0.4.3 by [@&#8203;dependabot](https://github.com/dependabot) in cli/cli#11092
- chore(deps): bump google.golang.org/grpc from 1.72.0 to 1.72.2 by [@&#8203;dependabot](https://github.com/dependabot) in cli/cli#11033
- chore(deps): bump actions/attest-build-provenance from 2.3.0 to 2.4.0 by [@&#8203;dependabot](https://github.com/dependabot) in cli/cli#11107
- chore(deps): bump github.com/in-toto/attestation from 1.1.1 to 1.1.2 by [@&#8203;dependabot](https://github.com/dependabot) in cli/cli#11123
- chore(deps): bump github.com/google/go-containerregistry from 0.20.3 to 0.20.6 by [@&#8203;dependabot](https://github.com/dependabot) in cli/cli#11120
- Bump golangci-lint to v2 by [@&#8203;williammartin](https://github.com/williammartin) in cli/cli#11121

#### New Contributors

- [@&#8203;MagneticNeedle](https://github.com/MagneticNeedle) made their first contribution in cli/cli#10935
- [@&#8203;laffer1](https://github.com/laffer1) made their first contribution in cli/cli#10699

**Full Changelog**: cli/cli@v2.74.1...v2.74.2

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42MC4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjAuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiUmVub3ZhdGUgQm90Il19-->
SamMorrowDrums added a commit to github/github-mcp-server that referenced this pull request Dec 12, 2025
@SamMorrowDrums
feat: auto-fix license files on PRs and improve CI reliability
3ee7234 
- license-check.yml: Auto-regenerate licenses, push fix to PR, and comment
- script/licenses: Pin go-licenses version in CI for reproducibility
- script/licenses-check: Pin go-licenses version in CI
- code-scanning.yml: Exclude third-party folder from CodeQL

Inspired by cli/cli improvements:
- cli/cli#11161 (pinned version)
- cli/cli#11127 (GHAS exclusion)
- cli/cli#11370 (auto-regenerate)
@SamMorrowDrums SamMorrowDrums mentioned this pull request Dec 12, 2025
Merged
SamMorrowDrums added a commit to github/github-mcp-server that referenced this pull request Dec 12, 2025
@SamMorrowDrums
feat: auto-fix license files on PRs and improve CI reliability
a27f96f 
- license-check.yml: Auto-regenerate licenses, push fix to PR, and comment
- script/licenses: Pin go-licenses version in CI for reproducibility
- script/licenses-check: Pin go-licenses version in CI
- code-scanning.yml: Exclude third-party folder from CodeQL

Inspired by cli/cli improvements:
- cli/cli#11161 (pinned version)
- cli/cli#11127 (GHAS exclusion)
- cli/cli#11370 (auto-regenerate)
SamMorrowDrums added a commit to github/github-mcp-server that referenced this pull request Dec 12, 2025
@SamMorrowDrums
feat: auto-fix license files on PRs and improve CI reliability
02b4394 
- license-check.yml: Auto-regenerate licenses, push fix to PR, and comment
- script/licenses: Pin go-licenses version in CI for reproducibility
- script/licenses-check: Pin go-licenses version in CI
- code-scanning.yml: Exclude third-party folder from CodeQL

Inspired by cli/cli improvements:
- cli/cli#11161 (pinned version)
- cli/cli#11127 (GHAS exclusion)
- cli/cli#11370 (auto-regenerate)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@BagToad BagToad BagToad approved these changes

@williammartin williammartin Awaiting requested review from williammartin williammartin is a code owner automatically assigned from cli/code-reviewers

Assignees

@andyfeller andyfeller

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Exclude third-party source code from CodeQL and security scans

2 participants

@andyfeller @BagToad

Comments