From 3cd360e8d6e2a74435d48ac3b93b0a72d484be13 Mon Sep 17 00:00:00 2001 From: Kelsi Date: Thu, 14 May 2026 11:33:26 -0700 Subject: [PATCH] chore(ci): exclude extern/ from CodeQL and Semgrep scanning All 61 open CodeQL alerts were in vendored third-party libraries (ImGui, miniaudio, stb_*). We do not modify upstream code, so these findings drown out signal in our own code without being actionable. --- .github/codeql/codeql-config.yml | 7 +++++++ .github/workflows/security.yml | 1 + 2 files changed, 8 insertions(+) diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml index 9695e17d..c8d68147 100644 --- a/.github/codeql/codeql-config.yml +++ b/.github/codeql/codeql-config.yml @@ -1,5 +1,12 @@ name: wowee-codeql-config +# Skip vendored third-party libraries. We do not modify upstream code in +# extern/ (ImGui, miniaudio, stb_*, etc.) — those projects own their own +# triage and accepting CodeQL findings there blocks our update path and +# drowns out signal in our own code. +paths-ignore: + - extern + # The WoW client protocol (world-socket header cipher) and Warden anti-cheat # module protocol both mandate RC4. There is no way to replace RC4 with a # stronger algorithm without breaking compatibility with all supported servers. diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 6e5f63af..e1c6a25b 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -88,6 +88,7 @@ jobs: semgrep scan \ --config p/security-audit \ --config p/secrets \ + --exclude extern \ --error sanitizer-build: