From cbbd51a5ce1fdf8546e9424d1d4ed66a3c51c23f Mon Sep 17 00:00:00 2001 From: Joe Reyna Date: Wed, 11 Mar 2026 07:38:01 -0700 Subject: [PATCH] fix(codeql): switch to security-extended to fix OOM failures (#23226) * fix(codeql): switch to security-extended query suite The security-and-quality suite produces result sets > 2 GiB on this codebase, causing fatal OOM failures and blocking CI. Switching to security-extended reduces query scope to security-only checks, which still complete successfully. Quality/maintainability checks are already covered by the existing lint pipeline. * fix(codeql): exclude OOM queries from security-extended --- .github/codeql/codeql-config.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml index 9b6be27ab8..20807685e1 100644 --- a/.github/codeql/codeql-config.yml +++ b/.github/codeql/codeql-config.yml @@ -1,12 +1,19 @@ name: "LiteLLM CodeQL config" -# Exclude queries that produce result sets > 2 GiB on this codebase, -# causing 49+ minute runs that fail and block CI resources. +# Use security-extended suite instead of security-and-quality to avoid +# result sets > 2 GiB on this codebase that cause fatal OOM failures. +queries: + - uses: security-extended + +# These two queries are security queries included in security-extended that +# individually produce result sets > 2 GiB on this codebase, causing fatal +# OOM failures. Exclude them as a safety net until CI confirms they no longer +# OOM; drop these exclusions in a follow-up once verified. query-filters: - exclude: - id: py/clear-text-logging-sensitive-data # CWE-312/CleartextLogging.ql — result set > 2 GiB + id: py/clear-text-logging-sensitive-data # CWE-312 — > 2 GiB result set - exclude: - id: py/polynomial-redos # CWE-730/PolynomialReDoS.ql — result set > 2 GiB + id: py/polynomial-redos # CWE-730 — > 2 GiB result set paths-ignore: - tests