Why
The only static analysis today is Qodana (code quality, not security). For enterprise positioning we need a SAST scanner that lands findings in the GitHub Security tab. CodeQL is the GitHub-native option, free for public repos, and supports C# (the bulk of this codebase).
Scope
- Add
.github/workflows/codeql.yml — checkout, init CodeQL, build, analyze.
- Languages:
csharp (primary). Maybe add javascript later if the docs site moves into this repo.
- Schedule: on push to main + PRs targeting main, plus a weekly cron for advisory-database refresh.
- Ignore generated files:
source/Nuke.Common/Tools/**/*.Generated.cs, build/_build/**/obj/**, build/Build.CI.*.cs (auto-generated).
Done when
Why
The only static analysis today is Qodana (code quality, not security). For enterprise positioning we need a SAST scanner that lands findings in the GitHub Security tab. CodeQL is the GitHub-native option, free for public repos, and supports C# (the bulk of this codebase).
Scope
.github/workflows/codeql.yml— checkout, init CodeQL, build, analyze.csharp(primary). Maybe addjavascriptlater if the docs site moves into this repo.source/Nuke.Common/Tools/**/*.Generated.cs,build/_build/**/obj/**,build/Build.CI.*.cs(auto-generated).Done when