Adding code changes to integrate codeQL tool into pipeline#769
Adding code changes to integrate codeQL tool into pipeline#769laxmikanth-msft merged 4 commits intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions workflow to run GitHub CodeQL analysis for the WPF samples repository, enabling automated security scanning on pushes, PRs, manual runs, and a weekly schedule.
Changes:
- Introduces a new
codeql.ymlworkflow that initializes and runs CodeQL for C# onwindows-latest. - Restores and builds
WPFSamples.slnprior to CodeQL analysis. - Configures workflow triggers for
main/release/*and a weekly cron schedule.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
.github/workflows/codeql.yml
Outdated
| nuget restore WPFSamples.sln | ||
| dotnet restore WPFSamples.sln | ||
|
|
There was a problem hiding this comment.
This workflow runs both nuget restore and dotnet restore on the same solution. Since the repo doesn’t appear to use packages.config-based restores, this is likely redundant and increases CI time/complexity. Consider keeping only dotnet restore WPFSamples.sln (or document why both are required).
| nuget restore WPFSamples.sln | |
| dotnet restore WPFSamples.sln | |
| dotnet restore WPFSamples.sln |
| dotnet restore WPFSamples.sln | ||
|
|
||
| - name: Build solution | ||
| run: dotnet build WPFSamples.sln --configuration Release --no-restore /p:Platform="Any CPU" /p:LangVersion=latest /p:TreatWarningsAsErrors=false |
There was a problem hiding this comment.
The build command forces /p:LangVersion=latest, which can change compilation semantics relative to the repo’s intended configuration and potentially introduce build failures that don’t exist in normal builds. Consider removing this override so CodeQL analyzes the code as it is normally compiled.
| run: dotnet build WPFSamples.sln --configuration Release --no-restore /p:Platform="Any CPU" /p:LangVersion=latest /p:TreatWarningsAsErrors=false | |
| run: dotnet build WPFSamples.sln --configuration Release --no-restore /p:Platform="Any CPU" /p:TreatWarningsAsErrors=false |
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup .NET SDK | ||
| uses: actions/setup-dotnet@v4 | ||
| with: | ||
| global-json-file: global.json | ||
|
|
||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@v4 | ||
| with: |
There was a problem hiding this comment.
For supply-chain hardening, consider pinning third-party GitHub Actions to full commit SHAs instead of floating major tags (e.g., @v4). This reduces the risk of a compromised action release affecting the workflow.
|
|
||
| - name: Build solution | ||
| run: dotnet build WPFSamples.sln --configuration Release --no-restore /p:Platform="Any CPU" /p:LangVersion=latest /p:TreatWarningsAsErrors=false | ||
| continue-on-error: true |
There was a problem hiding this comment.
The build step is marked continue-on-error: true, which can allow the workflow to succeed even when the solution fails to compile. For compiled-language CodeQL analysis this can result in an incomplete/empty database and misleading “successful” security scanning. Consider removing continue-on-error, or explicitly handling build failures (e.g., fail the job or gate analysis on a successful build).
| continue-on-error: true |
|
@laxmikanth-msft , how are we going to run this pipeline ? I am still new to this, just wanted to understand the process. |
dipeshmsft
left a comment
dipeshmsft
left a comment
There was a problem hiding this comment.
Apart from the comments I left, the current state does not cover all the samples in this repo.
We should also look at WPFSamples.Msbuild.sln, these are archaic and may not build but I guess in the main pipeline these get built, so I recommend adding this.
|
@microsoft-github-policy-service agree |
3 participants
I've added code changes to add codeQL static tool into pipeline for WPF samples. This will run the codeQL static tool on the codebase and if there are any abnormal changes in your PR, it will show up in the codeQL analysis section.
Microsoft Reviewers: Open in CodeFlow