Skip to content

Add CodeQL code scanning workflow#1063

Open
vharseko wants to merge 2 commits into
OpenIdentityPlatform:masterfrom
vharseko:codeql-analysis
Open

Add CodeQL code scanning workflow#1063
vharseko wants to merge 2 commits into
OpenIdentityPlatform:masterfrom
vharseko:codeql-analysis

Conversation

@vharseko

@vharseko vharseko commented Jul 9, 2026

Copy link
Copy Markdown
Member

Adds .github/workflows/codeql.yml — GitHub CodeQL code scanning for the repository.

What it does

  • Languages (all build-mode: none, i.e. source extraction — no Maven/MSBuild on the runner):
    • java-kotlin — primary codebase
    • javascript-typescript — XUI / JS sources
    • csharp — the Fedlet .NET SAML2 library (openam-federation-library)
    • actions — the repo's own GitHub Actions workflows
  • Triggers: push/PR to master, a weekly schedule (Mon 03:27 UTC), and manual workflow_dispatch.
  • Query suite: security-and-quality.
  • Concurrency: cancels superseded runs on the same ref.
  • Least-privilege permissions; pinned checkout@v7 / codeql-action@v4.

Scoping (paths-ignore)

Excludes tests (src/test, src/it), vendored/minified JS (*.min.js, node_modules, test-output, the XUI libs and JS-SDK lib trees) and .NET build output (obj, bin).

Notes

  • Python was intentionally left out — the only .py files are node-gyp tooling under node_modules.
  • C/C++ was left out — it's legacy Solaris-only native glue that requires a compiled build (CodeQL C/C++ doesn't support build-mode: none) and won't build on ubuntu-latest. A commented-out manual Maven build block is included for switching Java to higher-precision build-mode: manual later.

Add .github/workflows/codeql.yml running GitHub CodeQL for
java-kotlin, javascript-typescript, csharp and actions with
build-mode: none (source extraction, no Maven/MSBuild on the runner).
Triggers on push/PR to master, a weekly schedule and workflow_dispatch;
uses the security-and-quality query suite and excludes test,
vendored/minified JS and .NET build-output paths.
@vharseko vharseko requested a review from maximthomas July 9, 2026 11:28
@vharseko vharseko added ci CI, GitHub Actions, or build pipeline security Security fix or hardening (CVE, GHSA, XSS/CSRF/SSRF) enhancement labels Jul 9, 2026
Comment thread .github/workflows/codeql.yml Outdated
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci CI, GitHub Actions, or build pipeline enhancement security Security fix or hardening (CVE, GHSA, XSS/CSRF/SSRF)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants