openclaw/.github/codeql/codeql-android-critical-security.yml

name: openclaw-codeql-android-critical-security

disable-default-queries: true

queries:
  - uses: security-extended

query-filters:
  # Android canvas intentionally runs trusted A2UI JavaScript; keep this profile focused on exploitable WebView edges.
  - exclude:
      id: java/android/websettings-javascript-enabled

paths:
  - apps/android/app/src/main

paths-ignore:
  - "**/.gradle"
  - "**/build"
  - "**/node_modules"
  - "**/coverage"
  - "**/*.generated.*"
  - "**/*Test.kt"
  - "**/*Test.java"
  - "**/*Benchmark.kt"
  - apps/android/app/src/test
  - apps/android/benchmark