Fallout-build/Fallout

Add CodeQL workflow for security scanning

Open

#7 aberto em 18 de mai. de 2026

Ver no GitHub
 (0 comments) (0 reactions) (0 assignees)C# (1 fork)github user discovery
good first issuetarget/2026

Métricas do repositório

Stars
 (43 stars)
Métricas de merge de PR
 (Métricas PR pendentes)

Description

Why

The only static analysis today is Qodana (code quality, not security). For enterprise positioning we need a SAST scanner that lands findings in the GitHub Security tab. CodeQL is the GitHub-native option, free for public repos, and supports C# (the bulk of this codebase).

Scope

  • Add .github/workflows/codeql.yml — checkout, init CodeQL, build, analyze.
  • Languages: csharp (primary). Maybe add javascript later if the docs site moves into this repo.
  • Schedule: on push to main + PRs targeting main, plus a weekly cron for advisory-database refresh.
  • Ignore generated files: source/Nuke.Common/Tools/**/*.Generated.cs, build/_build/**/obj/**, build/Build.CI.*.cs (auto-generated).

Done when

  • CodeQL workflow committed
  • First scan completes green (or findings triaged)
  • GitHub Security tab populated

Guia do colaborador