Fallout-build/Fallout

Add CodeQL workflow for security scanning

Open

#7 ouverte le 18 mai 2026

Voir sur GitHub
 (0 commentaires) (0 réactions) (0 assignés)C# (1 fork)github user discovery
good first issuetarget/2026

Métriques du dépôt

Stars
 (43 stars)
Métriques de merge PR
 (Métriques PR en attente)

Description

Why

The only static analysis today is Qodana (code quality, not security). For enterprise positioning we need a SAST scanner that lands findings in the GitHub Security tab. CodeQL is the GitHub-native option, free for public repos, and supports C# (the bulk of this codebase).

Scope

  • Add .github/workflows/codeql.yml — checkout, init CodeQL, build, analyze.
  • Languages: csharp (primary). Maybe add javascript later if the docs site moves into this repo.
  • Schedule: on push to main + PRs targeting main, plus a weekly cron for advisory-database refresh.
  • Ignore generated files: source/Nuke.Common/Tools/**/*.Generated.cs, build/_build/**/obj/**, build/Build.CI.*.cs (auto-generated).

Done when

  • CodeQL workflow committed
  • First scan completes green (or findings triaged)
  • GitHub Security tab populated

Guide contributeur