Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: CodeQL

on:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot generated:
There is no schedule: trigger, so a branch that's quiet for weeks is never re-analyzed against newly-published CodeQL queries for newly-disclosed vulnerability classes. GitHub's default setup includes a weekly cron for exactly this. The ADO always: true change only partially mitigates this (csharp/python, not JS/TS). Consider adding a weekly schedule. (Raised by Advocate and Skeptic.) [unverified]

[verified]

push:
branches:
- main
- release/*

permissions:
actions: read
contents: read
security-events: write

jobs:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot generated:
There is no concurrency block, so rapid successive pushes to main spawn overlapping full analyses (each up to the 360-min timeout). Adding concurrency: { group: codeql-${{ github.ref }}, cancel-in-progress: true } would coalesce superseded runs and save runner minutes. Efficiency only, not correctness. (Advocate and Skeptic.) [unverified]

[verified]

analyze:
name: Analyze (${{ matrix.language }})
runs-on: ${{ matrix.os }}
timeout-minutes: 360

strategy:
fail-fast: false
matrix:
include:
- language: csharp
build-mode: none
os: windows-latest
- language: javascript-typescript
build-mode: none
os: ubuntu-latest
- language: python
build-mode: none
os: ubuntu-latest

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}

- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ matrix.language }}"
3 changes: 2 additions & 1 deletion azure-pipelines-compliance.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ name: $(date:yy)$(DayOfYear)$(rev:.r)
trigger: none
pr: none

# Trigger builds on a nightly schedule, as long as there are changes
# Trigger builds on a nightly schedule so compliance scans stay current.
# Ignore the azure-pipelines.yml, since that's a different pipeline
# All times are in UTC, so 8AM = Midnight PST
schedules:
Expand All @@ -27,6 +27,7 @@ schedules:
branches:
include:
- main
always: true

jobs:

Expand Down