Enable Code Scanning & Address Code Quality Issues

[zacowan]

GitHub provides a code-scanning tool (Settings > Code Security and Analysis > Code Scanning) named CodeQL that helps identify common code quality and security issues. When enabling this in a fork of the repo, there appears to be 30 code quality issues that CodeQL recommends addressing. Some of these are in the dist folder, so there's likely some level of duplication that should mean less than 30 code issues.

It would be useful to address these code quality/security issues to improve the security and reliability of this action.

[zacowan]

Looks like these are ALL actually for the bundled pnpm.js file, which may be from the actual pnpm repo?

[KSXGitHub]

Can you create a PR that setups Code Scanning for all files except dist and pnpm.js?

[zacowan]

Can you create a PR that setups Code Scanning for all files except dist and pnpm.js?

It looks like there's a way to set up "advanced code scanning", which is effectively just a workflow file. Looking at the options for this though, I'm not noticing any options for filtering out which files to scan. I'm looking through the "Configuring advanced setup" and "Customizing code scanning" sections - do you see anything I'm missing?

I imagine (if you don't find anything) that the idea is if you don't scan a part of a repository for code security scanning, then that kinda defeats the purpose, since there will always be some part of the repo that won't be secure 😅

[KSXGitHub]

I imagine (if you don't find anything) that the idea is if you don't scan a part of a repository for code security scanning

Ah, I see. Then we would have to update the pnpm.js to the latest version, assuming pnpm itself passes the code scanning.