You can extend the required Helmet security settings using data extensions in a CodeQL model pack.
They are defaulted to just frameguard and contentSecurityPolicy, but you can add more using this method, to require them not to be set to false (which explicitly disables them) in the Helmet configuration.
For example, this YAML model can be used inside a CodeQL model pack to require frameguard and contentSecurityPolicy:
extensions:
- addsTo:
pack: codeql/javascript-all
extensible: requiredHelmetSecuritySetting
data:
- ["frameguard"]
- ["contentSecurityPolicy"]Note: Using frameguard and contentSecurityPolicy is an example: the query already enforces these, so it is not necessary to add it with your own data extension.
A suitable model pack might be:
name: my-org/javascript-helmet-insecure-config-model-pack
version: 1.0.0
extensionTargets:
codeql/javascript-all: '*'
dataExtensions:
- models/**/*.yml