feat: multi-agent engine on the Claude Agent SDK #14
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CodeQL | |
| # Static security analysis (SAST) for the TypeScript sources — surfaces | |
| # command-injection / path-traversal / unsafe-shell patterns (the bug class the | |
| # run_command allowlist guards) in the repo's Security tab and as inline PR | |
| # annotations. Findings do NOT fail the build by default; gate via branch | |
| # protection later if desired. | |
| on: | |
| push: | |
| branches: [main] | |
| # Every PR regardless of base, so stacked / intermediate PRs don't skip SAST. | |
| pull_request: | |
| schedule: | |
| # Weekly full scan (Mondays 06:00 UTC). | |
| - cron: "0 6 * * 1" | |
| permissions: | |
| contents: read | |
| jobs: | |
| analyze: | |
| name: Analyze (javascript-typescript) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write # upload SARIF results to the Security tab | |
| actions: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: javascript-typescript | |
| queries: security-extended | |
| # Scan shipped product source only. Dev/test harnesses (scripts/, | |
| # *.test.ts) are not deployed and trip taint queries on values that | |
| # come from our own server, not an attacker (e.g. the e2e driver's | |
| # provider check). Keep SAST focused on packages/*/src. | |
| config: | | |
| paths-ignore: | |
| - scripts/** | |
| - "**/*.test.ts" | |
| - "**/dist/**" | |
| - name: Analyze | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:javascript-typescript" |