vrr/openclaw
2
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-28 14:44:08 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 14
openclaw/.github/codeql/codeql-android-critical-security.yml
Vincent Koc 1278f0bcc0
fix(codeql): tune Android pinning profile 
Remove noisy missing-certificate-pinning query from the critical Android CodeQL profile; gateway TLS uses custom certificate fingerprint pinning.
2026-04-27 23:04:16 -07:00

30 lines
882 B
YAML
Raw Blame History

name: openclaw-codeql-android-critical-security
disable-default-queries: true
queries:
- uses: security-extended
query-filters:
# Android canvas intentionally runs trusted A2UI JavaScript; keep this profile focused on exploitable WebView edges.
- exclude:
id: java/android/websettings-javascript-enabled
# Gateway TLS already pins verified certificate SHA-256 fingerprints. OkHttp CertificatePinner pins SPKI hashes,
# so this query is noisy for OpenClaw's TOFU/local-gateway trust model and does not belong in the critical profile.
- exclude:
id: java/android/missing-certificate-pinning
paths:
- apps/android/app/src/main
paths-ignore:
- "**/.gradle"
- "**/build"
- "**/node_modules"
- "**/coverage"
- "**/*.generated.*"
- "**/*Test.kt"
- "**/*Test.java"
- "**/*Benchmark.kt"
- apps/android/app/src/test
- apps/android/benchmark
Reference in a new issue View git blame Copy permalink