Skip to content

Actions: Diff-informed queries: phase 3 (non-trivial locations) #20072

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: main
Choose a base branch
from

Conversation

d10c
Copy link
Contributor

@d10c d10c commented Jul 17, 2025

This PR enables diff-informed mode on queries that select a location other than dataflow source or sink. This entails adding a non-trivial location override that returns the locations that are actually selected.

Prior work includes PRs like #19663, #19759, and #19817. This PR uses the same patch script as those PRs to find candidate queries to convert to diff-enabled. This is the final step in mass-enabling diff-informed queries on all the languages.

Commit-by-commit reviewing is recommended.

  • I have split the commits that add/modify tests from the ones that enable/disable diff-informed queries.
  • If the commit modifies a .qll file, in the commit message I've included links to the queries that depend on that .qll for easier reviewing.
  • Feel free to delegate parts of the review to others who may be more specialized in certain languages.

d10c added 6 commits July 17, 2025 11:35
@github-actions github-actions bot added the Actions Analysis of GitHub Actions label Jul 17, 2025
@d10c d10c added the no-change-note-required This PR does not need a change note label Jul 17, 2025
@d10c d10c requested a review from michaelnebel July 17, 2025 13:31
@d10c d10c marked this pull request as ready for review July 17, 2025 13:31
@Copilot Copilot AI review requested due to automatic review settings July 17, 2025 13:31
@d10c d10c requested a review from a team as a code owner July 17, 2025 13:31
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enables diff-informed mode on security queries in the Actions language by adding location override methods to return the actual selected locations rather than just dataflow sources or sinks. This represents the final phase of mass-enabling diff-informed queries across all languages.

  • Adds observeDiffInformedIncrementalMode(), getASelectedSourceLocation(), and getASelectedSinkLocation() methods to multiple security query configurations
  • Incorporates existing "where clause" logic from corresponding Critical.ql files into the location selection methods
  • Adds necessary imports for ControlChecks and other dependencies to support the new functionality

Reviewed Changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
EnvVarInjectionQuery.qll Adds diff-informed mode support with complex sink location logic for environment variable injection detection
EnvPathInjectionQuery.qll Enables diff-informed mode with PATH environment variable specific location selection
CommandInjectionQuery.qll Implements diff-informed mode for command injection detection with privileged context checks
CodeInjectionQuery.qll Adds diff-informed support with logic for both code injection and cache poisoning scenarios
ArtifactPoisoningQuery.qll Enables diff-informed mode for artifact poisoning detection with control check validation
ArgumentInjectionQuery.qll Implements diff-informed mode for argument injection detection with event-based location selection

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Actions Analysis of GitHub Actions no-change-note-required This PR does not need a change note
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant