Add CodeQL analysis workflow and update compliance pipeline schedule comment#8539
Conversation
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
|
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
| @@ -0,0 +1,47 @@ | |||
| name: CodeQL | |||
|
|
|||
| on: | |||
There was a problem hiding this comment.
Copilot generated:
There is no schedule: trigger, so a branch that's quiet for weeks is never re-analyzed against newly-published CodeQL queries for newly-disclosed vulnerability classes. GitHub's default setup includes a weekly cron for exactly this. The ADO always: true change only partially mitigates this (csharp/python, not JS/TS). Consider adding a weekly schedule. (Raised by Advocate and Skeptic.) [unverified]
[verified]
| contents: read | ||
| security-events: write | ||
|
|
||
| jobs: |
There was a problem hiding this comment.
Copilot generated:
There is no concurrency block, so rapid successive pushes to main spawn overlapping full analyses (each up to the 360-min timeout). Adding concurrency: { group: codeql-${{ github.ref }}, cancel-in-progress: true } would coalesce superseded runs and save runner minutes. Efficiency only, not correctness. (Advocate and Skeptic.) [unverified]
[verified]



No description provided.