[CI]: Add CodeQL SAST, Dependabot config, and OSSF Scorecard workflow#10
Merged
Conversation
0baca4a to
da63a1e
Compare
This was referenced Apr 17, 2026
nina-msft
reviewed
Apr 20, 2026
nina-msft
reviewed
Apr 20, 2026
nina-msft
reviewed
Apr 20, 2026
nina-msft
approved these changes
Apr 20, 2026
nina-msft
left a comment
Contributor
There was a problem hiding this comment.
LGTM after comments are addressed :)
da63a1e to
5a4d7d9
Compare
This was referenced Apr 21, 2026
22f6e11 to
26e80ba
Compare
26e80ba to
161752b
Compare
161752b to
31ec29b
Compare
31ec29b to
b819447
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Add CodeQL SAST analysis, Dependabot dependency management, and OSSF Scorecard
supply-chain security workflow.
CodeQL (
.github/workflows/codeql.yml):main, PRs targetingmain, and weekly (Wednesdays 14:25 UTC)actions/checkout@v6.0.2,github/codeql-action@v4.35.1)actions: read,contents: read,security-events: writeDependabot (
.github/dependabot.yml):and devcontainers ecosystems
[MAINT]per repo conventionOSSF Scorecard (
.github/workflows/scorecard.yml):main, PRs, and weekly (Saturdays 06:30 UTC)ossf/scorecard-action@v2.4.3All workflows use
persist-credentials: falseand empty defaultpermissions: {}following security best practices.
Breaking changes
None
Checklist
pre-commit run --all-filespasses