Skip to content

Manual Test Runbook — I3: CodeQL SAST

Owner: Sagar  |  Time: ~3 min (Part A offline) · +10 min (Part B live PR drill)  |  Cloud: none · $0

Promotes I3 (.github/workflows/codeql.yml) from 🟦 Code Complete → 🟩 Shipped. Part A is offline (YAML lint). Part B is a live Code Scanning drill on a PR.

Prerequisites

  • Local tooling: python3 (YAML lint), optionally actionlint
  • (Part B only) GitHub Advanced Security / Code Scanning enabled on the repo
  • Working directory: repo root

Steps

Part A — workflow lint (offline, ~3 min)

  1. bash python3 -c "import yaml; yaml.safe_load(open('.github/workflows/codeql.yml')); print('parses OK')" # Optional, if installed: actionlint .github/workflows/codeql.yml

Expected: parses OK (and actionlint clean if run). Confirm the matrix lists both javascript-typescript (build-mode none) and go (build-mode autobuild), and the query suite is security-extended,security-and-quality.

Part B — live Code Scanning drill (~10 min, $0)

  1. On a throwaway branch, plant a finding CodeQL will catch — e.g. in a scratch TS file under apps/:
// scratch only — revert before merge
import { execSync } from "node:child_process";
export const run = (cmd: string) => execSync(cmd); // CWE-78 command injection

  1. Open a PR to main. Confirm the codeql / analyze (javascript-typescript) check runs and the finding appears under the PR's Security → Code scanning tab (and inline on the diff).

  2. Delete the scratch file, push, and confirm the alert clears and the check goes green.

  3. Confirm the go matrix leg autobuilds tests/terratest and reports clean.

Sign-Off

Field Value
Part A (lint) ☐ PASS
Part B (live PR drill) ☐ PASS / ☐ skipped (no GHAS)
Tester
Date
Result ☐ PASS