Skip to content

Add CodeQL code-scanning workflow#97

Merged
vharseko merged 1 commit into
OpenIdentityPlatform:masterfrom
vharseko:features/codeql
Jul 10, 2026
Merged

Add CodeQL code-scanning workflow#97
vharseko merged 1 commit into
OpenIdentityPlatform:masterfrom
vharseko:features/codeql

Conversation

@vharseko

@vharseko vharseko commented Jul 9, 2026

Copy link
Copy Markdown
Member

Adds a CodeQL code-scanning workflow, adapted for OpenICF.

What it does

  • Analyzes java-kotlin and actions (the repo's own GitHub Actions workflows).
  • Uses build-mode: none — CodeQL models straight from Java sources without a Maven compile, avoiding the long, eventually-cancelled autobuild.
  • Query suite: security-and-quality.
  • Triggers: push/PR on master, weekly Monday cron, and manual workflow_dispatch.
  • concurrency cancels superseded runs; least-privilege permissions; 360-min timeout.
  • paths-ignore excludes **/src/test/** and **/src/it/**.

Scoping notes

  • No csharp (repo has no .NET module) and no javascript-typescript (only a single JS test resource) — dropped vs. the upstream reference.
  • The Groovy connector sources are not covered — CodeQL has no Groovy analyzer.
  • A commented-out build-mode: manual Maven block is included for switching to dataflow-through-dependencies precision later.

Analyze java-kotlin and GitHub Actions with build-mode 'none' (no Maven
compile), security-and-quality queries, weekly schedule and PR triggers.
Test and integration-test sources are excluded via paths-ignore.
@vharseko vharseko requested a review from maximthomas July 9, 2026 11:55
@vharseko vharseko added ci CI, build & workflow changes security Security fix / CVE remediation labels Jul 9, 2026
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@vharseko vharseko merged commit 4a1af66 into OpenIdentityPlatform:master Jul 10, 2026
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci CI, build & workflow changes security Security fix / CVE remediation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants