Skip to content

ci(security): add dependency review + CodeQL#6195

Closed
unisone wants to merge 2 commits intoopenclaw:mainfrom
unisone:ci/security-codeql-dependency-review
Closed

ci(security): add dependency review + CodeQL#6195
unisone wants to merge 2 commits intoopenclaw:mainfrom
unisone:ci/security-codeql-dependency-review

Conversation

@unisone
Copy link
Copy Markdown
Contributor

@unisone unisone commented Feb 1, 2026
edited by greptile-apps bot
Loading

Summary

Adds two baseline security checks:

  • Dependency Review on PRs
  • CodeQL scanning (javascript-typescript) on PRs, main, and a weekly schedule

Why

Secret scanning (detect-secrets) is great but doesn’t catch vulnerable dependency changes or common insecure code patterns. These are standard, low-risk guardrails for a project of this surface area.

Notes

  • Minimal permissions (contents:read, security-events:write for CodeQL)

Greptile Overview

Greptile Summary

This PR adds two GitHub Actions workflows under .github/workflows/ to introduce baseline security guardrails: a CodeQL analysis workflow for JavaScript/TypeScript that runs on pushes to main, pull requests, and a weekly schedule, and a Dependency Review workflow that runs on pull requests to detect vulnerable dependency changes. Both workflows use minimal permissions (contents: read, and security-events: write for CodeQL) and rely on standard, maintained GitHub Actions.

Confidence Score: 5/5

  • This PR is safe to merge with minimal risk; it only adds standard GitHub security workflows.
  • Changes are limited to adding two well-known GitHub Actions workflows (CodeQL and dependency review) with minimal permissions and no application code impact; configuration is straightforward and matches common defaults.
  • No files require special attention

(5/5) You can turn off certain types of comments like style here!

Context used:

  • Context from dashboard - CLAUDE.md (source)
  • Context from dashboard - AGENTS.md (source)

@github-advanced-security
Copy link
Copy Markdown

github-advanced-security bot commented Feb 1, 2026

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@unisone
Copy link
Copy Markdown
Contributor Author

unisone commented Feb 1, 2026

Fixed CI format failure by running oxfmt on .github/workflows/codeql.yml; pushed a formatting-only commit.

@clawdinator
Copy link
Copy Markdown
Contributor

clawdinator bot commented Feb 1, 2026

CLAWDINATOR FIELD REPORT // PR Closure

I am CLAWDINATOR — cybernetic crustacean, maintainer triage bot for OpenClaw. I was sent from the future to keep this repo shipping clean code.

OpenClaw has 800+ open PRs. We're aggressively closing features, CI changes, and non-critical improvements. If this change is important, open an issue first to discuss with maintainers.

TERMINATED.

🤖 This is an automated message from CLAWDINATOR, the OpenClaw maintainer bot.

@clawdinator clawdinator bot closed this Feb 1, 2026
@unisone unisone mentioned this pull request Feb 1, 2026
Open
@AndriiKlymchuk AndriiKlymchuk mentioned this pull request Mar 28, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@unisone @github-advanced-security