github
diff --git a/‎actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll
Copy file name to clipboardExpand all lines: actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll
+2Lines changed: 2 additions & 0 deletions b/‎actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll
Copy file name to clipboardExpand all lines: actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll
+2Lines changed: 2 additions & 0 deletions
diff --git a/‎actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
Copy file name to clipboardExpand all lines: actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
+2Lines changed: 2 additions & 0 deletions b/‎actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
Copy file name to clipboardExpand all lines: actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
+2Lines changed: 2 additions & 0 deletions
diff --git a/‎actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
Copy file name to clipboardExpand all lines: actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
+2Lines changed: 2 additions & 0 deletions b/‎actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
Copy file name to clipboardExpand all lines: actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
+2Lines changed: 2 additions & 0 deletions
diff --git a/‎actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll
Copy file name to clipboardExpand all lines: actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll
+2Lines changed: 2 additions & 0 deletions b/‎actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll
Copy file name to clipboardExpand all lines: actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll
+2Lines changed: 2 additions & 0 deletions
diff --git a/‎actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll
Copy file name to clipboardExpand all lines: actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll
+2Lines changed: 2 additions & 0 deletions b/‎actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll
Copy file name to clipboardExpand all lines: actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll
+2Lines changed: 2 additions & 0 deletions
diff --git a/‎actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll
Copy file name to clipboardExpand all lines: actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll
+2Lines changed: 2 additions & 0 deletions b/‎actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll
Copy file name to clipboardExpand all lines: actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll
+2Lines changed: 2 additions & 0 deletions
diff --git a/‎actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll
Copy file name to clipboardExpand all lines: actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll
+2Lines changed: 2 additions & 0 deletions b/‎actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll
Copy file name to clipboardExpand all lines: actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll
+2Lines changed: 2 additions & 0 deletions
diff --git a/‎actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll
Copy file name to clipboardExpand all lines: actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll
+2Lines changed: 2 additions & 0 deletions b/‎actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll
Copy file name to clipboardExpand all lines: actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll
+2Lines changed: 2 additions & 0 deletions
diff --git a/‎actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll
Copy file name to clipboardExpand all lines: actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll
+2Lines changed: 2 additions & 0 deletions b/‎actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll
Copy file name to clipboardExpand all lines: actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll
+2Lines changed: 2 additions & 0 deletions
diff --git a/‎actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
Copy file name to clipboardExpand all lines: actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
+12Lines changed: 12 additions & 0 deletions b/‎actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
Copy file name to clipboardExpand all lines: actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
+12Lines changed: 12 additions & 0 deletions
diff --git a/‎actions/ql/src/Models/CompositeActionsSinks.ql
Copy file name to clipboardExpand all lines: actions/ql/src/Models/CompositeActionsSinks.ql
+2Lines changed: 2 additions & 0 deletions b/‎actions/ql/src/Models/CompositeActionsSinks.ql
Copy file name to clipboardExpand all lines: actions/ql/src/Models/CompositeActionsSinks.ql
+2Lines changed: 2 additions & 0 deletions
diff --git a/‎actions/ql/src/Models/CompositeActionsSources.ql
Copy file name to clipboardExpand all lines: actions/ql/src/Models/CompositeActionsSources.ql
+2Lines changed: 2 additions & 0 deletions b/‎actions/ql/src/Models/CompositeActionsSources.ql
Copy file name to clipboardExpand all lines: actions/ql/src/Models/CompositeActionsSources.ql
+2Lines changed: 2 additions & 0 deletions
diff --git a/‎actions/ql/src/Models/CompositeActionsSummaries.ql
Copy file name to clipboardExpand all lines: actions/ql/src/Models/CompositeActionsSummaries.ql
+2Lines changed: 2 additions & 0 deletions b/‎actions/ql/src/Models/CompositeActionsSummaries.ql
Copy file name to clipboardExpand all lines: actions/ql/src/Models/CompositeActionsSummaries.ql
+2Lines changed: 2 additions & 0 deletions
diff --git a/‎actions/ql/src/Models/ReusableWorkflowsSinks.ql
Copy file name to clipboardExpand all lines: actions/ql/src/Models/ReusableWorkflowsSinks.ql
+2Lines changed: 2 additions & 0 deletions b/‎actions/ql/src/Models/ReusableWorkflowsSinks.ql
Copy file name to clipboardExpand all lines: actions/ql/src/Models/ReusableWorkflowsSinks.ql
+2Lines changed: 2 additions & 0 deletions
diff --git a/‎actions/ql/src/Models/ReusableWorkflowsSources.ql
Copy file name to clipboardExpand all lines: actions/ql/src/Models/ReusableWorkflowsSources.ql
+2Lines changed: 2 additions & 0 deletions b/‎actions/ql/src/Models/ReusableWorkflowsSources.ql
Copy file name to clipboardExpand all lines: actions/ql/src/Models/ReusableWorkflowsSources.ql
+2Lines changed: 2 additions & 0 deletions
diff --git a/‎actions/ql/src/Models/ReusableWorkflowsSummaries.ql
Copy file name to clipboardExpand all lines: actions/ql/src/Models/ReusableWorkflowsSummaries.ql
+2Lines changed: 2 additions & 0 deletions b/‎actions/ql/src/Models/ReusableWorkflowsSummaries.ql
Copy file name to clipboardExpand all lines: actions/ql/src/Models/ReusableWorkflowsSummaries.ql
+2Lines changed: 2 additions & 0 deletions
@@ -88,6 +88,8 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {
       run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _)
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
 
@@ -316,6 +316,8 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unsafe artifacts that is used in an insecure way. */
 
@@ -35,6 +35,8 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
 
@@ -16,6 +16,8 @@ private module CommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */
 
@@ -108,6 +108,8 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate the PATH environment variable. */
 
@@ -163,6 +163,8 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */
 
@@ -214,6 +214,8 @@ private module OutputClobberingConfig implements DataFlow::ConfigSig {
       )
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */
 
@@ -16,6 +16,8 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */
 
@@ -15,6 +15,8 @@ private module SecretExfiltrationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */
 
@@ -70,6 +70,12 @@ private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll:238: Flow call outside 'select' clause
+    none()
+  }
 }
 
 module ActionsMutableRefCheckoutFlow = TaintTracking::Global<ActionsMutableRefCheckoutConfig>;
@@ -121,6 +127,12 @@ private module ActionsSHACheckoutConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll:273: Flow call outside 'select' clause
+    none()
+  }
 }
 
 module ActionsSHACheckoutFlow = TaintTracking::Global<ActionsSHACheckoutConfig>;
 
@@ -24,6 +24,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;
 
@@ -34,6 +34,8 @@ private module MyConfig implements DataFlow::ConfigSig {
     isSink(node) and
     set instanceof DataFlow::FieldContent
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;
 
@@ -25,6 +25,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr())
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;
 
@@ -24,6 +24,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;
 
@@ -34,6 +34,8 @@ private module MyConfig implements DataFlow::ConfigSig {
     isSink(node) and
     set instanceof DataFlow::FieldContent
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;
 
@@ -25,6 +25,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr())
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;
Original file line number	Diff line number	Diff line change
`@@ -88,6 +88,8 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {`
`88`	`88`	`run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _)`
`89`	`89`	`)`
`90`	`90`	`}`
	`91`	`+`
	`92`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`91`	`93`	`}`
`92`	`94`
`93`	`95`	`/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */`
Original file line number	Diff line number	Diff line change
`@@ -316,6 +316,8 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {`
`316`	`316`	`exists(run.getScript().getAFileReadCommand())`
`317`	`317`	`)`
`318`	`318`	`}`
	`319`	`+`
	`320`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`319`	`321`	`}`
`320`	`322`
`321`	`323`	`/** Tracks flow of unsafe artifacts that is used in an insecure way. */`
Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,8 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {`
`35`	`35`	`exists(run.getScript().getAFileReadCommand())`
`36`	`36`	`)`
`37`	`37`	`}`
	`38`	`+`
	`39`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`38`	`40`	`}`
`39`	`41`
`40`	`42`	`/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */`
Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,8 @@ private module CommandInjectionConfig implements DataFlow::ConfigSig {`
`16`	`16`	`predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }`
`17`	`17`
`18`	`18`	`predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }`
	`19`	`+`
	`20`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`19`	`21`	`}`
`20`	`22`
`21`	`23`	`/** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */`
Original file line number	Diff line number	Diff line change
`@@ -108,6 +108,8 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig {`
`108`	`108`	`exists(run.getScript().getAFileReadCommand())`
`109`	`109`	`)`
`110`	`110`	`}`
	`111`	`+`
	`112`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`111`	`113`	`}`
`112`	`114`
`113`	`115`	`/** Tracks flow of unsafe user input that is used to construct and evaluate the PATH environment variable. */`
Original file line number	Diff line number	Diff line change
`@@ -163,6 +163,8 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig {`
`163`	`163`	`exists(run.getScript().getAFileReadCommand())`
`164`	`164`	`)`
`165`	`165`	`}`
	`166`	`+`
	`167`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`166`	`168`	`}`
`167`	`169`
`168`	`170`	`/** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */`
Original file line number	Diff line number	Diff line change
`@@ -214,6 +214,8 @@ private module OutputClobberingConfig implements DataFlow::ConfigSig {`
`214`	`214`	`)`
`215`	`215`	`)`
`216`	`216`	`}`
	`217`	`+`
	`218`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`217`	`219`	`}`
`218`	`220`
`219`	`221`	`/** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */`
Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,8 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig {`
`16`	`16`	`predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }`
`17`	`17`
`18`	`18`	`predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }`
	`19`	`+`
	`20`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`19`	`21`	`}`
`20`	`22`
`21`	`23`	`/** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */`
Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,8 @@ private module SecretExfiltrationConfig implements DataFlow::ConfigSig {`
`15`	`15`	`predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }`
`16`	`16`
`17`	`17`	`predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink }`
	`18`	`+`
	`19`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`18`	`20`	`}`
`19`	`21`
`20`	`22`	`/** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */`
Original file line number	Diff line number	Diff line change
`@@ -70,6 +70,12 @@ private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig {`
`70`	`70`	`exists(run.getScript().getAFileReadCommand())`
`71`	`71`	`)`
`72`	`72`	`}`
	`73`	`+`
	`74`	`+ predicate observeDiffInformedIncrementalMode() {`
	`75`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`76`	`+ // actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll:238: Flow call outside 'select' clause`
	`77`	`+ none()`
	`78`	`+ }`
`73`	`79`	`}`
`74`	`80`
`75`	`81`	`module ActionsMutableRefCheckoutFlow = TaintTracking::Global<ActionsMutableRefCheckoutConfig>;`
`@@ -121,6 +127,12 @@ private module ActionsSHACheckoutConfig implements DataFlow::ConfigSig {`
`121`	`127`	`exists(run.getScript().getAFileReadCommand())`
`122`	`128`	`)`
`123`	`129`	`}`
	`130`	`+`
	`131`	`+ predicate observeDiffInformedIncrementalMode() {`
	`132`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`133`	`+ // actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll:273: Flow call outside 'select' clause`
	`134`	`+ none()`
	`135`	`+ }`
`124`	`136`	`}`
`125`	`137`
`126`	`138`	`module ActionsSHACheckoutFlow = TaintTracking::Global<ActionsSHACheckoutConfig>;`