Skip to content

security(codeql): Advanced Setup fuer C# (build-mode manual)#61

Merged
tomtastisch merged 3 commits intomainfrom
codex/security/codeql-csharp-advanced-setup
Feb 14, 2026
Merged

security(codeql): Advanced Setup fuer C# (build-mode manual)#61
tomtastisch merged 3 commits intomainfrom
codex/security/codeql-csharp-advanced-setup

Conversation

@tomtastisch
Copy link
Owner

@tomtastisch tomtastisch commented Feb 14, 2026
edited
Loading

Ziel & Scope

Fixes #58: CodeQL fuer language:csharp soll nicht mehr mit build-mode: none laufen, sondern einen realen .NET-Build ausfuehren, damit die Extraktion/Analysequalitaet stabil ueber den Schwellenwerten liegt.

Non-Goals:

  • Keine inhaltlichen Code-Aenderungen am Produktcode.
  • Keine Aenderungen an SECURITY.md.

Umgesetzte Aufgaben (abhaken)

  • Advanced CodeQL Workflow hinzugefuegt (.github/workflows/codeql.yml).
  • build-mode: manual konfiguriert (explizit, nicht none).
  • Traced Build via dotnet restore + dotnet build -c Release ueber FileClassifier.sln implementiert.
  • Actions/Dependencies SHA-gepinnt und least-privilege Permissions gesetzt.

Nachbesserungen aus Review (iterativ)

  • (falls Review Hinweise liefert) Workflow/Build-Schritte so anpassen, dass CodeQL-Extraktion vollstaendig ist.
  • (falls Review Hinweise liefert) Query-Set/Category feinjustieren.

Security- und Merge-Gates

Evidence (auditierbar)

Lokal:

  • bash tools/ci/bin/run.sh preflight -> /Users/tomwerner/RiderProjects/FileClassifier/artifacts/ci/preflight/summary.md
  • bash tools/ci/bin/run.sh build -> /Users/tomwerner/RiderProjects/FileClassifier/artifacts/ci/build/summary.md
  • bash tools/ci/bin/run.sh tests-bdd-coverage -> /Users/tomwerner/RiderProjects/FileClassifier/artifacts/ci/tests-bdd-coverage/summary.md

CI (PR #61):

  • CodeQL Workflow Run: 22021055053 (Job: Analyze (csharp))
  • CI Workflow Run (inkl. preflight/pr-governance): 22021055059

DoD (mindestens 2 pro Punkt)

  • Punkt: CodeQL Advanced Setup fuer C# (manual build)
  • DoD 1: Workflow ist least-privilege und SHA-gepinnt (auditierbar in .github/workflows/codeql.yml).
  • DoD 2: Lokale Build+Tests sind gruen (auditierbar in artifacts/ci/build/summary.md und artifacts/ci/tests-bdd-coverage/summary.md).

Copilot AI review requested due to automatic review settings February 14, 2026 16:58
@github-actions github-actions bot added area:pipeline ci CI/workflow change impl:config versioning:patch Fix/Refactor/Docs/CI/Tooling; requires PATCH bump labels Feb 14, 2026
Copilot AI reviewed Feb 14, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a dedicated CodeQL Advanced Setup workflow for C# that performs a real traced .NET build (manual build-mode) to improve CodeQL extraction quality and address the “build-mode: none / low analysis quality” warning.

Changes:

  • Introduces .github/workflows/codeql.yml to run CodeQL for language:csharp with build-mode: manual.
  • Adds traced dotnet restore + dotnet build for FileClassifier.sln prior to analysis.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@tomtastisch tomtastisch enabled auto-merge (squash) February 14, 2026 17:08
@tomtastisch tomtastisch merged commit 7e32755 into main Feb 14, 2026
26 checks passed
@tomtastisch tomtastisch deleted the codex/security/codeql-csharp-advanced-setup branch February 14, 2026 17:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

area:pipeline ci CI/workflow change impl:config versioning:patch Fix/Refactor/Docs/CI/Tooling; requires PATCH bump

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CodeQL: C# Analysequalität / build-mode none

1 participant

@tomtastisch