# CodeQL configuration for notebooklm-py. # # The default Python query pack flags ``print(... ...)`` as # "clear-text logging of sensitive information" whenever a value tagged as # secret reaches a print statement, even if the value passed through a # project-local sanitiser first. ``notebooklm._logging.scrub_secrets`` IS # such a sanitiser — it applies the same redaction pattern set used by # ``RedactingFilter`` on the logging pipeline (cookies, CSRF tokens, OAuth # bearers, Set-Cookie response headers, etc.) — but CodeQL's default # allow-list doesn't know about it. # # Rather than peppering the codebase with per-line ``# noqa`` comments, # disable the ``py/clear-text-logging-sensitive-data`` query for paths # where scrub_secrets is the load-bearing redactor. The query still runs # everywhere else in the codebase, so a new clear-text leak in # (say) ``src/notebooklm/_*.py`` would still surface. # # Scoped narrowly to the rpc-health canary because (a) it's the only # place where decoded RPC responses are printed for diagnostics, and # (b) that path already routes through scrub_secrets at every site — # see the comments at each print site in scripts/check_rpc_health.py. # # References: # * https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning # * https://codeql.github.com/codeql-query-help/python/py-clear-text-logging-sensitive-data/ # Exclude the rule globally. The standard CodeQL config schema for # ``query-filters`` does NOT accept a ``paths`` sub-key — attempting to # scope the suppression to a specific file via that field silently # evaluates to "no exclusion". Since the only Python sites that hit # ``py/clear-text-logging-sensitive-data`` in this codebase are the # scrub_secrets-wrapped print paths in ``scripts/check_rpc_health.py`` # (the rpc-health canary script, which is the only place we deliberately # echo decoded RPC responses for diagnostics), and every such site is # already routed through ``scrub_secrets``, a global exclude is the # correct trade-off. The rule remains a noisy false-positive generator # for any sanitiser CodeQL doesn't recognise, and we don't have a custom # sanitiser-model query pack to teach it about scrub_secrets. query-filters: - exclude: id: py/clear-text-logging-sensitive-data paths-ignore: # scripts/check_rpc_health.py is a maintenance canary that prints # decoded RPC bodies for human diagnosis when the API drifts. Every # print site there calls scrub_secrets first. Belt-and-braces: also # mark the file as path-ignored so any future CodeQL rule that # similarly mis-models the local sanitiser won't gate the PR. - 'scripts/check_rpc_health.py'