Skip to content

QVAC-21550 infra: roll out canonical security baseline (TruffleHog + CodeQL) to qvac-ext-stable-diffusion.cpp#17

Merged
GSServita merged 5 commits into
masterfrom
feat/QVAC-21550-canonical-security-workflow
Jul 7, 2026
Merged

QVAC-21550 infra: roll out canonical security baseline (TruffleHog + CodeQL) to qvac-ext-stable-diffusion.cpp#17
GSServita merged 5 commits into
masterfrom
feat/QVAC-21550-canonical-security-workflow

Conversation

@GSServita

@GSServita GSServita commented Jul 1, 2026

Copy link
Copy Markdown

🎯 What problem does this PR solve?

  • Security scanning across QVAC Tier-1 repos is inconsistent — TruffleHog / CodeQL coverage and configuration drift between repos. QVAC-21550 rolls out the org's canonical security baseline so every Tier-1 repo opts in via a single uses: reference. This PR lands that caller in this Tier-1 native (C/C++) repo.

📝 How does it solve it?

  • Adds .github/workflows/security-baseline.yml, a thin caller that delegates to the canonical reusable workflow tetherto/qvac-actions/.github/workflows/public-reusable-security.yml (TruffleHog secret scan + CodeQL static analysis), authored under QVAC-19055.
  • Triggers: pull_request, push to the default branch, and workflow_dispatch. Plain pull_request (not pull_request_target) — the baseline needs no secrets/privileged context.
  • Config: languages: c-cpp (explicit), severity-threshold: high, codeql-upload: never (this repo uses CodeQL "Default setup"), and codeql-build-mode: none — buildless C/C++ extraction. This is uniform across all Tier-1 C/C++ callers and robust versus autobuild on native/submodule projects (submodule forks otherwise fail autobuild at add_subdirectory ... does not contain a CMakeLists.txt file).

🧪 How was it tested?

  • actionlint — clean; yamlfmt -lint -formatter retain_line_breaks_single=true (v0.17.0) — clean.
  • baseline / * checks (TruffleHog + CodeQL c-cpp) verified green with codeql-build-mode: none.

🔐 Action pinning

  • tetherto/qvac-actions/.github/workflows/public-reusable-security.yml (reusable workflow): pinned to be1d22629cc48b6dcc36645acc9e6d89cfaf54d8 # 0.2.0 — the immutable commit SHA behind the released 0.2.0 tag (which adds the codeql-build-mode input, qvac-actions#10), per the org freeze-and-pin convention.

🛡️ Permissions changes

  • Scope: top-level — Before: (repo default) → After: contents: read.
  • Scope: job baseline — Before: (none) → After: contents: read, security-events: write, pull-requests: write, actions: read.
  • Justification: least-privilege set required by the canonical reusable workflow — security-events: write for CodeQL SARIF, pull-requests: write for the findings summary comment, actions: read for workflow introspection; everything else stays read-only. No repo secrets are passed (github.token covers the write-backs on same-repo runs).

Part of the QVAC-21550 Tier-1 rollout (canonical security workflow: QVAC-19055; Tier-1 scope: QVAC-19052).

Drafted by an AI agent via the qv-devops-pr-create convention; please review the workflow config before merge.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Status

Current Status: ❌ PENDING
Approvals so far: none

Pending reviews: Needs 1 Management or Team Lead, and 1 more from Management, Team Lead, or Member.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

Security baseline — findings detected

  • TruffleHog: success
  • CodeQL: failure
  • Severity threshold: high

See the job summary and the repository Security tab for details.

This comment is updated automatically by the canonical security workflow.

NamelsKing
NamelsKing previously approved these changes Jul 2, 2026
Comment thread .github/workflows/security-baseline.yml Outdated
Proletter
Proletter previously approved these changes Jul 7, 2026
@GSServita GSServita dismissed stale reviews from Proletter and NamelsKing via 715b15a July 7, 2026 09:16
@GSServita GSServita marked this pull request as ready for review July 7, 2026 09:46
@GSServita GSServita requested review from a team as code owners July 7, 2026 09:46
@GSServita GSServita merged commit 705b7a4 into master Jul 7, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants