ci: exclude weak-sensitive-data-hashing rule from CodeQL
API token hashing uses HMAC-SHA256 on high-entropy tokens (256-bit random), not passwords. Actual password hashing uses bcrypt.
This commit is contained in:
Stefano Bertelli
parent
604446f8ca
commit
31b31b7946
2 changed files with 10 additions and 0 deletions
9
.github/codeql/codeql-config.yml
vendored
Normal file
9
.github/codeql/codeql-config.yml
vendored
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
name: "WireGUI CodeQL config"
|
||||
|
||||
query-filters:
|
||||
# API token hashing uses HMAC-SHA256 which is appropriate for high-entropy
|
||||
# tokens (256-bit random). Actual password hashing uses bcrypt.
|
||||
# CodeQL flags any SHA-family hash as "weak for password hashing" but this
|
||||
# rule is not applicable to API token lookups.
|
||||
- exclude:
|
||||
id: py/weak-sensitive-data-hashing
|
||||
1
.github/workflows/codeql.yml
vendored
1
.github/workflows/codeql.yml
vendored
|
|
@ -26,6 +26,7 @@ jobs:
|
|||
uses: github/codeql-action/init@v3
|
||||
with:
|
||||
languages: python
|
||||
config-file: .github/codeql/codeql-config.yml
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@v3
|
||||
Loading…
Add table
Add a link
Reference in a new issue