Fallout-build/Fallout

Add CodeQL workflow for security scanning

Open

#7 创建于 2026年5月18日

在 GitHub 查看
 (0 评论) (0 反应) (0 负责人)C# (1 fork)github user discovery
good first issuetarget/2026

仓库指标

Star
 (43 star)
PR 合并指标
 (PR 指标待抓取)

描述

Why

The only static analysis today is Qodana (code quality, not security). For enterprise positioning we need a SAST scanner that lands findings in the GitHub Security tab. CodeQL is the GitHub-native option, free for public repos, and supports C# (the bulk of this codebase).

Scope

  • Add .github/workflows/codeql.yml — checkout, init CodeQL, build, analyze.
  • Languages: csharp (primary). Maybe add javascript later if the docs site moves into this repo.
  • Schedule: on push to main + PRs targeting main, plus a weekly cron for advisory-database refresh.
  • Ignore generated files: source/Nuke.Common/Tools/**/*.Generated.cs, build/_build/**/obj/**, build/Build.CI.*.cs (auto-generated).

Done when

  • CodeQL workflow committed
  • First scan completes green (or findings triaged)
  • GitHub Security tab populated

贡献者指南