Suppress false positive CodeQL warning on LocalOrchestrationService (#1348)

AnatoliB · Copilot · web-flow · commit 8b8f1e83a96c · 2026-05-11T16:40:22.000-07:00
* Suppress CodeQL warnings for LocalOrchestrationService regarding serialization security in in-proc testing context

Co-authored-by: Copilot &lt;copilot@github.com&gt;

* Fix suppression syntax

Co-authored-by: Copilot &lt;copilot@github.com&gt;

---------

Co-authored-by: Copilot &lt;copilot@github.com&gt;
diff --git a/src/DurableTask.Emulator/LocalOrchestrationService.cs b/src/DurableTask.Emulator/LocalOrchestrationService.cs
@@ -54,6 +54,8 @@ public class LocalOrchestrationService : IOrchestrationService, IOrchestrationSe
         readonly object timerLock = new object();
 
         readonly ConcurrentDictionary<string, TaskCompletionSource<OrchestrationState>> orchestrationWaiters;
+
+        // CodeQL [SM02211] False positive: in-proc test-only emulator; bytes stay in-memory and never cross a trust boundary.
         static readonly JsonSerializerSettings StateJsonSettings = new JsonSerializerSettings { TypeNameHandling = TypeNameHandling.Auto };
 
         /// <summary>
