Enable CodeQL Scanning #196
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Auto-build could not build our repository, so adding in steps from our build.yml to enable scanning with CodeQL
Also go back to large runner as analysis ran out of memory before Update CodeQL Config to Limit Scope Don't run if only changes to markdown files, samples, or tests Only analyze src files and not generated files .g.cs files
|
Bugger, the filters to exclude the generated files aren't working... not sure why that would be... 😢 Will investigate this more later |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Continuation of #190, wanted to do a clean PR so that alerts would could be filtered now that enabled filtering out generated code.
Prior alerts from the very first pass weren't filtered out with the change, so it made it impossible to see the result of just scoped to our production code.
This isn't a priority to get in, but will be good to have. From the initial pass there are some good notes for us to investigate in the future, there were no critical security findings, so we should feel good about the upcoming release.