good first issuetarget/2026
Métriques du dépôt
- Stars
- (43 stars)
- Métriques de merge PR
- (Métriques PR en attente)
Description
Why
The only static analysis today is Qodana (code quality, not security). For enterprise positioning we need a SAST scanner that lands findings in the GitHub Security tab. CodeQL is the GitHub-native option, free for public repos, and supports C# (the bulk of this codebase).
Scope
- Add
.github/workflows/codeql.yml— checkout, init CodeQL, build, analyze. - Languages:
csharp(primary). Maybe addjavascriptlater if the docs site moves into this repo. - Schedule: on push to main + PRs targeting main, plus a weekly cron for advisory-database refresh.
- Ignore generated files:
source/Nuke.Common/Tools/**/*.Generated.cs,build/_build/**/obj/**,build/Build.CI.*.cs(auto-generated).
Done when
- CodeQL workflow committed
- First scan completes green (or findings triaged)
- GitHub Security tab populated