Skip to content

ci(security): add initial SAST workflows and plan#151

Merged
grove merged 7 commits intomainfrom
codeql-workflow
Mar 10, 2026
Merged

ci(security): add initial SAST workflows and plan#151
grove merged 7 commits intomainfrom
codeql-workflow

Conversation

@grove
Copy link
Copy Markdown
Owner

@grove grove commented Mar 10, 2026

Summary

  • add a first-pass SAST stack for the PostgreSQL extension
  • add GitHub Actions workflows for CodeQL, cargo-deny, and Semgrep
  • add a detailed rollout plan in plans/testing/PLAN_SAST.md

What Changed

  • add Rust CodeQL analysis using the repo's existing pgrx setup
  • add cargo-deny checks backed by deny.toml
  • add an advisory Semgrep scan with SARIF upload
  • add initial extension-specific Semgrep rules for dynamic SPI SQL and SECURITY DEFINER review
  • document the threat model, phased rollout, rule roadmap, CI policy, and next implementation steps in PLAN_SAST.md

Validation

  • just fmt
  • just lint

Notes

  • Semgrep is intentionally advisory in this first pass so the rules can be tuned before becoming blocking.
  • The plan covers the next phases: findings triage, stronger PostgreSQL-specific rules, unsafe/FFI tracking, and a path to selective blocking policies.

@grove grove requested a review from BaardBouvet as a code owner March 10, 2026 16:03
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Mar 10, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

grove added 6 commits March 10, 2026 17:18
@grove
fix(ci): update CodeQL workflow to v4 and use build-mode none for Rust
c8779d8
@grove
docs(sast): add security newbie checklist section to PLAN_SAST.md
1856ebb
@grove
fix(ci): add licenses section to deny.toml, ignore unmaintained trans…
87c6cb3 
…itive deps

Add [licenses] allow-list to fix 275 blocked-by-default license rejections
(cargo deny v2 rejects all licenses not explicitly allowed when no [licenses]
section is present).

Also ignore three unmaintained-crate advisories from transitive deps we
do not control directly:
- RUSTSEC-2024-0436 (paste, pulled by pgrx)
- RUSTSEC-2025-0134 (rustls-pemfile, pulled by testcontainers/bollard)
- RUSTSEC-2021-0127 (serde_cbor, transitive dev dep)

Warnings for duplicate windows-* crates remain; these are pre-existing
version skews from pgrx + testcontainers dep trees and are already
configured as warn-only.
@grove
fix(ci): silence cargo deny warnings
735d561 
- Remove stale RUSTSEC-2023-0071 ignore (sqlx mysql dep gone from graph)
- Add [bans] skip entries for duplicate crates that come from upstream
  version skews (pgrx vs testcontainers/bollard/ring) and cannot be
  resolved from this repo
- Remove skip entries that were unmatched on non-Windows platforms
  (windows-* 0.48.x, getrandom 0.2.x, hashbrown 0.12.x are only pulled
  by cfg(windows) deps not active on Linux/macOS)

cargo deny check now exits clean: advisories ok, bans ok, licenses ok, sources ok
@grove
docs(changelog): add SAST baseline entry for codeql-workflow
6c4b06e
@grove
fix(changelog): restore missing TPC-H enhancements bullet title
c683f61
@grove grove merged commit 70bb01a into main Mar 10, 2026
6 checks passed
@grove grove deleted the codeql-workflow branch March 10, 2026 18:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BaardBouvet BaardBouvet BaardBouvet approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@grove @github-advanced-security @BaardBouvet