Skip to content

Adding code changes to integrate codeQL tool into pipeline #769

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
laxmikanth-msft merged 4 commits into from
Feb 18, 2026
Merged

Adding code changes to integrate codeQL tool into pipeline #769

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c75c83e
code changes to add codeQL tool into pipeline
laxmikanth-msft Feb 17, 2026
fc38338
additional change to make warnings as errors to false
laxmikanth-msft Feb 17, 2026
11feafa
removed cron code as it's not needed
laxmikanth-msft Feb 18, 2026
854c3a5
removed redundant package restore
laxmikanth-msft Feb 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
name: "CodeQL Analysis"

on:
workflow_dispatch:
push:
branches: [ "main", "release/*" ]
pull_request:
branches: [ "main", "release/*" ]

jobs:
analyze:
name: Analyze (C#)
runs-on: windows-latest
timeout-minutes: 120

permissions:
actions: read
contents: read
security-events: write

strategy:
fail-fast: false

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Setup .NET SDK
uses: actions/setup-dotnet@v4
with:
global-json-file: global.json

- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
Comment on lines +25 to +35
Copy link

Copilot AI Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For supply-chain hardening, consider pinning third-party GitHub Actions to full commit SHAs instead of floating major tags (e.g., @v4). This reduces the risk of a compromised action release affecting the workflow.

Copilot uses AI. Check for mistakes.
languages: csharp
queries: security-extended

- name: Restore NuGet packages
run: |
dotnet restore WPFSamples.sln

- name: Build solution
run: dotnet build WPFSamples.sln --configuration Release --no-restore /p:Platform="Any CPU" /p:LangVersion=latest /p:TreatWarningsAsErrors=false
Copy link

Copilot AI Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The build command forces /p:LangVersion=latest, which can change compilation semantics relative to the repo’s intended configuration and potentially introduce build failures that don’t exist in normal builds. Consider removing this override so CodeQL analyzes the code as it is normally compiled.

Suggested change
run: dotnet build WPFSamples.sln --configuration Release --no-restore /p:Platform="Any CPU" /p:LangVersion=latest /p:TreatWarningsAsErrors=false
run: dotnet build WPFSamples.sln --configuration Release --no-restore /p:Platform="Any CPU" /p:TreatWarningsAsErrors=false

Copilot uses AI. Check for mistakes.
continue-on-error: true
Copy link

Copilot AI Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The build step is marked continue-on-error: true, which can allow the workflow to succeed even when the solution fails to compile. For compiled-language CodeQL analysis this can result in an incomplete/empty database and misleading “successful” security scanning. Consider removing continue-on-error, or explicitly handling build failures (e.g., fail the job or gate analysis on a successful build).

Suggested change
continue-on-error: true

Copilot uses AI. Check for mistakes.
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: "/language:csharp"
Loading