Skip to content

Add CodeQL workflow for automated security analysis #194

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Add CodeQL workflow for automated security analysis #194

Copilot wants to merge 2 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Nov 18, 2025
edited
Loading

Success criteria

Please describe what should be possible after this change. List all individual items on a separate line.

  • CodeQL security analysis runs automatically on push to main and pull requests
  • The library is built before analysis to enable comprehensive code scanning
  • Weekly scheduled scans provide ongoing security monitoring
  • Security vulnerabilities are detected and reported in GitHub Security tab

How to test

Please describe the individual steps on how a peer can test your change.

  1. Push changes to main or create a PR targeting main
  2. Verify the "CodeQL" workflow appears in Actions tab
  3. Confirm workflow completes: installs dependencies → builds library → runs analysis
  4. Check that security findings (if any) appear in Security → Code scanning alerts

Security

  • Possible injection vector
  • Authentication/Access controls touched
  • Sensitive Data could be exposed
  • XSS
  • Logging/Monitoring touched
  • Exchanges data with external systems
  • No security implications

Additional considerations

  • This PR might have performance implications

Documentation Considerations

These are hints for the documentation team to help write the docs.

CodeQL workflow now scans JavaScript/TypeScript codebase using security-extended and security-and-quality query packs. Analysis runs after building the library with npm run build to ensure complete code coverage.

Original prompt

add a codeQL action to the pipeline which builds the library and runs analysis against the build

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copy link
Contributor Author

Copilot AI commented Nov 18, 2025

@graymalkin77 Unfortunately I hit an unexpected error while processing your comment. I've automatically reported this to GitHub.

You can ask me to try again later by mentioning me in a new comment.

If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: 7776d0a0-8a2c-4065-9de9-05fa8102a195

Sorry for the inconvenience!

@kwinto
Add CodeQL workflow for security analysis with build step
e3e641a 
Co-authored-by: kwinto <90881+kwinto@users.noreply.github.com>
Copilot AI changed the title [WIP] Add CodeQL action to build library and run analysis Add CodeQL workflow for automated security analysis Nov 18, 2025
Copilot AI requested a review from kwinto November 18, 2025 09:40
Copilot finished work on behalf of kwinto November 18, 2025 09:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kwinto kwinto Awaiting requested review from kwinto

At least 1 approving review is required to merge this pull request.

Assignees

@kwinto kwinto

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kwinto