CodeQL is disabled for this repository because:
- This is primarily a Terraform (HCL) project
- CodeQL does not support Terraform/HCL analysis
- The minimal Python code (audit scripts) is better covered by other tools
Instead of CodeQL, this project uses:
-
Checkov - Terraform security scanning
- Scans for security misconfigurations
- Validates against AWS best practices
- Required to pass before commits
-
Super-Linter - Multi-language linting
- Configured in
.github/workflows/super-linter.yml - Validates Terraform, Python, YAML, and more
- Configured in
-
TFLint - Terraform-specific linting
- Run locally before commits
- Catches Terraform-specific issues
-
Audit Tooling - Custom security audits
- Python-based audit scripts in
audit/ - Uses MCP servers for AWS best practices
- Run periodically for compliance
- Python-based audit scripts in
super-linter.yml- Automated linting on PRsauto-approve.yml- Dependabot auto-approval
Configured in dependabot.yml for:
- GitHub Actions updates
- Python dependencies (audit scripts)
If GitHub's default CodeQL scanning is enabled at the organization or repository level:
- Go to repository Settings → Code security and analysis
- Under Code scanning, disable CodeQL analysis
- Or configure it to exclude this repository
This prevents the "no source code found" errors since CodeQL cannot analyze Terraform.