Improve CodeQL compliance and OpenSSF Scorecard posture#14
Merged
Conversation
- Add permissions: contents: read to smoke-metalman.yaml workflow - Add CodeQL inline suppressions for 6 false-positive/intentional alerts (insecure-hostkeycallback, zipslip, disabled-certificate-check, clear-text-storage-sensitive-data) - Create explicit CodeQL workflow (Go, Python, Actions) with SHA-pinned actions to satisfy OpenSSF Scorecard SAST check - Pin all Containerfile base images by digest for Scorecard Pinned-Dependencies check - Add .github/CODEOWNERS assigning @Azure/unbounded-dev as default owners
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
bcho
approved these changes
Apr 9, 2026
The repository already has CodeQL 'default setup' enabled in GitHub settings, which scans Go, Python, and Actions. An explicit workflow file cannot coexist with the default setup — GitHub rejects the SARIF upload with: 'CodeQL analyses from advanced configurations cannot be processed when the default setup is enabled.' The default setup already satisfies the OpenSSF Scorecard SAST check.
CodeQL default setup does not honor inline comment-based suppressions. The comments also caused CodeQL to see the alerts as 'new' on the PR since the line content changed. The 7 pre-existing alerts have been dismissed via the GitHub API instead.
plombardi89
approved these changes
Apr 9, 2026
plombardi89
added a commit
that referenced
this pull request
May 14, 2026
GHAS / CodeQL flagged two "Incorrect conversion between integer types" findings on the awss3 and azureblob origin adapters: the List call sites cast a host-int maxResults to int32 without an upper-bound check, so an untrusted caller passing ?max-keys=99999999999 would silently overflow MaxKeys/MaxResults to a non-deterministic (often negative) int32 value before it reached the SDK. The server-side parse (server.go:704-711) only guards v > 0; the > int32 max case slipped through. Per-adapter clamp instead of a server-side ceiling so each backend keeps its own documented max: - awss3.clampMaxKeys: 0..1000 (S3 ListObjectsV2 server-side cap) - azureblob.clampMaxResults: 0..5000 (Azure ListBlobs server-side cap) A server-wide cap would have artificially limited Azure callers to the smaller of the two ceilings; clamping per-adapter keeps the backends' native quotas reachable while making the int32 conversion locally provable. Negative inputs collapse to 0 (which the backends interpret as "use default") so the symmetric overflow window is also closed. Tests: TestClampMaxKeys and TestClampMaxResults table-drive every boundary (zero, small positive, exact cap, cap+1, math.MaxInt32, math.MaxInt, -1, math.MinInt). Both run as fast unit tests with no SDK or network seam needed. Resolves https://github.com/Azure/unbounded/security/code-scanning/14 Resolves https://github.com/Azure/unbounded/security/code-scanning/15
plombardi89
added a commit
that referenced
this pull request
May 14, 2026
GHAS / CodeQL flagged two "Incorrect conversion between integer types" findings on the awss3 and azureblob origin adapters: the List call sites cast a host-int maxResults to int32 without an upper-bound check, so an untrusted caller passing ?max-keys=99999999999 would silently overflow MaxKeys/MaxResults to a non-deterministic (often negative) int32 value before it reached the SDK. The server-side parse (server.go:704-711) only guards v > 0; the > int32 max case slipped through. Per-adapter clamp instead of a server-side ceiling so each backend keeps its own documented max: - awss3.clampMaxKeys: 0..1000 (S3 ListObjectsV2 server-side cap) - azureblob.clampMaxResults: 0..5000 (Azure ListBlobs server-side cap) A server-wide cap would have artificially limited Azure callers to the smaller of the two ceilings; clamping per-adapter keeps the backends' native quotas reachable while making the int32 conversion locally provable. Negative inputs collapse to 0 (which the backends interpret as "use default") so the symmetric overflow window is also closed. Tests: TestClampMaxKeys and TestClampMaxResults table-drive every boundary (zero, small positive, exact cap, cap+1, math.MaxInt32, math.MaxInt, -1, math.MinInt). Both run as fast unit tests with no SDK or network seam needed. Resolves https://github.com/Azure/unbounded/security/code-scanning/14 Resolves https://github.com/Azure/unbounded/security/code-scanning/15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves the 7 pre-existing CodeQL alerts blocking PR merges and improves OpenSSF Scorecard compliance across several checks.
Changes
Phase 1: Fix CodeQL Alerts (unblocks all PR merges)
actions/missing-workflow-permissionspermissions: contents: readtosmoke-metalman.yamlpy/clear-text-storage-sensitive-datae2e.py)go/insecure-hostkeycallbackmachine_controller.go)go/zipslipcleanedTarEntryName()already validates paths (download.go)go/disabled-certificate-checkInsecureSkipVerifyused withVerifyConnectionfor BMC cert pinning (redfish/client.go)Phase 2: CodeQL Workflow (Scorecard SAST check)
.github/workflows/codeql.yamlwith Go, Python, and Actions analysismain+ weekly schedulePhase 3: Scorecard Quick Wins
@sha256:...)mcr.microsoft.com/azurelinux/base/core:3.0(machina, metalman — builder + runtime stages)docker.io/library/golang:1.26(host-ubuntu2404)docker.io/library/debian:bookworm-slim(host-ubuntu2404)docker.io/library/ubuntu:noble(agent-ubuntu2404, agent-ubuntu2404-nvidia).github/CODEOWNERSassigning@Azure/unbounded-devas default ownersFiles Changed (12)
.github/CODEOWNERS— new.github/workflows/codeql.yaml— new.github/workflows/smoke-metalman.yaml— added permissions blockcmd/agent/internal/utilio/download.go— CodeQL suppressioncmd/machina/machina/controller/machine_controller.go— CodeQL suppressions (3 locations)hack/agent/e2e-kind/e2e.py— CodeQL suppressionimages/agent-ubuntu2404/Containerfile— digest pinimages/agent-ubuntu2404-nvidia/Containerfile— digest pinimages/host-ubuntu2404/Containerfile— digest pins (2 images)images/machina/Containerfile— digest pins (2 stages)images/metalman/Containerfile— digest pins (2 stages)internal/metalman/redfish/client.go— CodeQL suppressionVerification
make lint— passesmake test— passes