Skip to content

Add CodeQL workflow for automated security analysis#194

Draft
Copilot wants to merge 2 commits intomainfrom
copilot/add-codeql-action-pipeline
Draft

Add CodeQL workflow for automated security analysis#194
Copilot wants to merge 2 commits intomainfrom
copilot/add-codeql-action-pipeline

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Nov 18, 2025
edited
Loading

Success criteria

Please describe what should be possible after this change. List all individual items on a separate line.

  • CodeQL security analysis runs automatically on push to main and pull requests
  • The library is built before analysis to enable comprehensive code scanning
  • Weekly scheduled scans provide ongoing security monitoring
  • Security vulnerabilities are detected and reported in GitHub Security tab

How to test

Please describe the individual steps on how a peer can test your change.

  1. Push changes to main or create a PR targeting main
  2. Verify the "CodeQL" workflow appears in Actions tab
  3. Confirm workflow completes: installs dependencies → builds library → runs analysis
  4. Check that security findings (if any) appear in Security → Code scanning alerts

Security

  • Possible injection vector
  • Authentication/Access controls touched
  • Sensitive Data could be exposed
  • XSS
  • Logging/Monitoring touched
  • Exchanges data with external systems
  • No security implications

Additional considerations

  • This PR might have performance implications

Documentation Considerations

These are hints for the documentation team to help write the docs.

CodeQL workflow now scans JavaScript/TypeScript codebase using security-extended and security-and-quality query packs. Analysis runs after building the library with npm run build to ensure complete code coverage.

Original prompt

add a codeQL action to the pipeline which builds the library and runs analysis against the build

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@graymalkin77
Copy link
Copy Markdown

graymalkin77 commented Nov 18, 2025
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Copy link
Copy Markdown
Contributor Author

Copilot AI commented Nov 18, 2025

@graymalkin77 Unfortunately I hit an unexpected error while processing your comment. I've automatically reported this to GitHub.

You can ask me to try again later by mentioning me in a new comment.

If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: 7776d0a0-8a2c-4065-9de9-05fa8102a195

Sorry for the inconvenience!

@kwinto
Add CodeQL workflow for security analysis with build step
e3e641a 
Co-authored-by: kwinto <90881+kwinto@users.noreply.github.com>
Copilot AI changed the title [WIP] Add CodeQL action to build library and run analysis Add CodeQL workflow for automated security analysis Nov 18, 2025
Copilot AI requested a review from kwinto November 18, 2025 09:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kwinto kwinto Awaiting requested review from kwinto

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

@kwinto kwinto

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@graymalkin77 @kwinto