Skip to content

Add supply chain queries for npm publish token usage and missing provenance #21621

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
david-wiggs wants to merge 4 commits into
base: main
Choose a base branch
from

Merge branch 'main' into main

c19c340
Select commit
Loading
Failed to load commit list.
Open

Add supply chain queries for npm publish token usage and missing provenance #21621

Merge branch 'main' into main
c19c340
Select commit
Loading
Failed to load commit list.
GitHub Advanced Security / CodeQL completed Apr 2, 2026 in 5s

6 configurations not found

Warning: Code scanning may not have found all the alerts introduced by this pull request, because 6 configurations present on refs/heads/main were not found:

Actions workflow (rust-analysis.yml)

  • ❓  .github/workflows/rust-analysis.yml:analyze/language:rust

Actions workflow (csv-coverage-metrics.yml)

  • ❓  .github/workflows/csv-coverage-metrics.yml:publish-csharp
  • ❓  .github/workflows/csv-coverage-metrics.yml:publish-java

Actions workflow (codeql-analysis.yml)

  • ❓  .github/workflows/codeql-analysis.yml:CodeQL-Build/language:actions
  • ❓  .github/workflows/codeql-analysis.yml:CodeQL-Build/language:csharp

Actions workflow (cpp-swift-analysis.yml)

  • ❓  .github/workflows/cpp-swift-analysis.yml:CodeQL-Build

New alerts in code changed by this pull request

  • 5 warnings

See annotations below for details.

View all branch alerts.

Annotations

Check warning on line 25 in actions/ql/src/Security/CWE-353/MissingProvenanceFlag.ql

See this annotation in the file changed.

Code scanning / CodeQL

Alert message style violation Warning

Alert message should start with a capital letter.

Check warning on line 53 in actions/ql/src/Security/CWE-798/NpmTokenInPublish.ql

See this annotation in the file changed.

Code scanning / CodeQL

Alert message style violation Warning

Don't quote substitutions in alert messages.

Check warning on line 54 in actions/ql/src/Security/CWE-798/NpmTokenInPublish.ql

See this annotation in the file changed.

Code scanning / CodeQL

Alert message style violation Warning

Don't repeat the alert location as a link.

Check warning on line 1 in actions/ql/test/query-tests/Security/CWE-353/MissingProvenanceFlag.qlref

See this annotation in the file changed.

Code scanning / CodeQL

Query test without inline test expectations Warning test

Query test does not use inline test expectations.

Check warning on line 1 in actions/ql/test/query-tests/Security/CWE-798/NpmTokenInPublish.qlref

See this annotation in the file changed.

Code scanning / CodeQL

Query test without inline test expectations Warning test

Query test does not use inline test expectations.