Skip to content

graft: migrate to org-wide CodeQL configuration #484

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
security-graft-app wants to merge 1 commit into
base: main
Choose a base branch
from
Open

graft: migrate to org-wide CodeQL configuration #484

security-graft-app wants to merge 1 commit into from

Conversation

@security-graft-app
Copy link

@security-graft-app security-graft-app bot commented Oct 23, 2025

🔒 Migrate to org-wide CodeQL configuration

Hello! 👋

The sec eng team is rolling out an improved CodeQL configuration across all repositories. This provides several benefits:

  • Organisation-wide custom security rules — built on findings from past VAPTs
  • Suppression of noisy rules — reducing false positives in code scanning results
  • Faster rollout of fixes — critical rules can be added and silenced centrally without per-repo updates

🚀 What's changing with this PR?

  • Adds the custom CodeQL workflow in your repository

⚠️ Expected CI behaviour

The CodeQL action in this PR will fail initially. This is expected behaviour because custom CodeQL scanning cannot run whilst the default CodeQL scanning is still enabled on the repository.

ℹ️ What do I need to do as a maintainer?

  1. Disable the default CodeQL code scanning configuration:
    • This is because our custom CodeQL configuration cannot run alongside the default CodeQL configuration (hence CI fails).
    • Go to Settings > Security & analysis in your repo
    • Look for “Code scanning” > “CodeQL analysis”
    • Click Disable CodeQL
  2. Merge this PR

Your repository will then automatically use our shared CodeQL setup and custom rules.

If you wish to revert this change, you just need to re-enable the CodeQL in the settings page above, then remove the workflow added in this PR.

💬 Questions or feedback?

Reach out anytime at #security and let us know if you spot issues.

Thank you for helping keep our codebases secure and maintainable!

Generated by GRAFT

@github-advanced-security
Copy link

github-advanced-security bot commented Oct 23, 2025

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants