From 53f3123030edffee17e2e028ac408137c1ee0ff6 Mon Sep 17 00:00:00 2001 From: Julio Quinteros Pro Date: Sat, 28 Feb 2026 11:40:22 -0300 Subject: [PATCH 1/2] fix(ci): add custom CodeQL workflow to replace expensive default setup The default CodeQL setup runs all 45 Python security queries against the entire codebase. Two queries (CleartextLogging, PolynomialReDoS) produce result sets > 2 GiB, causing 49+ minute runs that fail and block CI. - Add custom workflow with 30-minute timeout and concurrency limits - Exclude py/clear-text-logging-sensitive-data (CWE-312) - Exclude py/polynomial-redos (CWE-730) - Skip scanning tests/, docs/, and UI build output NOTE: The Default Setup must be disabled in repo Settings > Code security before merging, otherwise both will run simultaneously. Co-Authored-By: Claude Opus 4.6 --- .github/codeql/codeql-config.yml | 15 +++++++++ .github/workflows/codeql.yml | 54 ++++++++++++++++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100644 .github/codeql/codeql-config.yml create mode 100644 .github/workflows/codeql.yml diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 0000000000..9b6be27ab8 --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,15 @@ +name: "LiteLLM CodeQL config" + +# Exclude queries that produce result sets > 2 GiB on this codebase, +# causing 49+ minute runs that fail and block CI resources. +query-filters: + - exclude: + id: py/clear-text-logging-sensitive-data # CWE-312/CleartextLogging.ql — result set > 2 GiB + - exclude: + id: py/polynomial-redos # CWE-730/PolynomialReDoS.ql — result set > 2 GiB + +paths-ignore: + - tests + - docs + - "**/*.md" + - litellm/proxy/_experimental/out diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..2fea0c000f --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,54 @@ +name: "CodeQL" + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + # Run weekly on Sundays at 04:00 UTC + - cron: "0 4 * * 0" + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + security-events: write + packages: read + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + - language: javascript-typescript + build-mode: none + - language: python + build-mode: none + - language: ruby + build-mode: none + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + config-file: ./.github/codeql/codeql-config.yml + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{ matrix.language }}" From d7340b595beb8ebc75ce6868b2429e8989c611a8 Mon Sep 17 00:00:00 2001 From: Julio Quinteros Pro Date: Sat, 28 Feb 2026 12:16:42 -0300 Subject: [PATCH 2/2] Update .github/workflows/codeql.yml Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 2fea0c000f..3d11345e85 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -11,7 +11,7 @@ on: concurrency: group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true + cancel-in-progress: ${{ github.event_name == 'pull_request' }} jobs: analyze: