CodeQL (static analysis in CI)
GitHub CodeQL runs in workflow .github/workflows/codeql.yml (repository root) on push/PR to main and dev, a weekly schedule, and manually (Actions → CodeQL → Run workflow, workflow_dispatch). Steps use github/codeql-action@v4 (init, autobuild, analyze).
What is analyzed
| Language | Scope (see .github/codeql/) |
|---|---|
| JavaScript / TypeScript | app/ui/src |
| Python | app/web, app/processor (excluding app/processor/models and **/tests/**) |
Where to see results
On GitHub.com: Security → Code scanning (alerts and history).
Forks and private repos need GitHub Advanced Security for full UI; the workflow still runs and uploads SARIF when permissions allow.
Local development (optional)
VS Code
The repo recommends the CodeQL extension (extension ID GitHub.vscode-codeql, capital G for the publisher) via .vscode/extensions.json. Open the repository root so Recommended extensions appear. After a local run, use CodeQL: View SARIF or open a database from .tools/codeql-dbs/.
If the Marketplace search finds nothing:
- Terminal:
code --install-extension GitHub.vscode-codeql(VS Code CLI). - Or download the
.vsixfrom the Marketplace page → Extensions → ⋯ → Install from VSIX…. - CI and
scripts/codeql-local.shdo not require the extension; use GitHub Code scanning or another SARIF viewer if needed.
CLI
Run scripts/codeql-local.sh (requires gh, unzip, Node 22+, Python 3.12+). It downloads the CodeQL bundle under .tools/ (gitignored), installs query packs under ~/.codeql/packages, builds databases, and writes SARIF to .tools/codeql-results/.
Sample review (security-extended)
Previously reported Python findings in util.py, spectrogram.py, and go2RTC logging were addressed in code (see CODEQL.ru.md); optional SW postMessage hardening remains documented there.
The PR Code scanning aggregate (open alerts) is separate from the CodeQL workflow job success; align branch rules accordingly.
CI does not need to be green in branch protection unless you add CodeQL / code scanning as a required check in the repository ruleset.
Related
- SECURITY.md — threat model and manual review topics
- TESTING.md — runtime tests (pytest, Docker)