Skip to content

feat: Enable CodeQL Advanced Security scanning#23

Merged
Caoxuyang merged 1 commit into
mainfrom
setup-codeql-security
Jun 9, 2026
Merged

feat: Enable CodeQL Advanced Security scanning#23
Caoxuyang merged 1 commit into
mainfrom
setup-codeql-security

Conversation

@Caoxuyang

Copy link
Copy Markdown
Member

This PR enables CodeQL Advanced Security for the GitHub Copilot Modernization Agent repository with configurations optimized for agent/plugin code patterns.

What's Added

Security Scanning

  • CodeQL workflow for Python and JavaScript/TypeScript
  • Runs on push to main, pull requests, and weekly schedule
  • Uses security-extended query suite for comprehensive coverage

Smart Configuration

  • Custom config filters common false positives in agent orchestration code
  • Excludes test fixtures and data directories
  • Pre-configured for:
    • Shell command execution (validated at orchestration layer)
    • Path construction (scoped to project directories)
    • Agent logging (workflow metadata only)
    • Plugin loading patterns

Documentation

  • CODEQL_GUIDE.md: Detailed guide for handling alerts
  • CODEQL_SETUP.md: Complete setup and maintenance documentation
  • PR template with security checklist

Why These Configurations?

Agent systems have legitimate patterns that can trigger false positives:

  • Dynamic command execution for modernization workflows
  • File path construction for multi-project analysis
  • Plugin loading and orchestration

The configuration balances security scanning with practical agent development needs.

Testing

  • Workflow syntax validated
  • Config follows CodeQL schema
  • Documentation includes examples for all common alert types

Closes #[issue-number-if-any]

@Caoxuyang Caoxuyang force-pushed the setup-codeql-security branch 2 times, most recently from 558e2b0 to ac53a3a Compare June 9, 2026 07:41
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@Caoxuyang Caoxuyang force-pushed the setup-codeql-security branch from ac53a3a to 350b739 Compare June 9, 2026 07:43
@Caoxuyang Caoxuyang force-pushed the setup-codeql-security branch from 350b739 to 55e2028 Compare June 9, 2026 08:27
Add CodeQL workflow for Python and JavaScript/TypeScript scanning.

This plugin contains utility scripts for Java project analysis:
- build_knowledge_graph.py: Tree-sitter based code analysis (2048 lines)
- decompose.py: Project decomposition tool (2156 lines)
- install_grammars.py: Grammar installation helper (70 lines)

Configuration includes query filters for common patterns in CLI tools:
- Shell command execution for build system integration
- Path handling for local project analysis
- Logging of analysis results

These filters reduce false positives while maintaining security coverage.
@Caoxuyang Caoxuyang force-pushed the setup-codeql-security branch from 55e2028 to 8a0d558 Compare June 9, 2026 08:53
@Caoxuyang Caoxuyang merged commit 42c1189 into main Jun 9, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants