Add CodeQL code scanning workflow (Python, JavaScript/TypeScript, C#, Go) (#15)

Copilot · seesharprun · Copilot · web-flow · commit 934f6b5292aa · 2026-03-19T09:53:36.000-04:00
Adds CodeQL analysis to gate PRs and run on schedule across the languages present in the monorepo, using the `Analyze Samples` workflow (named to mirror the existing `Validate Samples` workflow). ## Workflow design - **Separate jobs per language** (`analyze-python`, `analyze-javascript`, `analyze-dotnet`, `analyze-go`) so each produces an independent status check that can be individually required in branch protection rules - Job display names follow the same pattern as the validation workflow: `Analyze Python Samples`, `Analyze JavaScript/TypeScript Samples`, `Analyze .NET Samples`, `Analyze Go Samples` - `if: github.repository == 'AzureCosmosDB/samples'` guard on the `Perform CodeQL Analysis` step (SARIF upload) ensures fork PRs complete the jobs successfully — satisfying required status checks — while the upload is skipped where `security-events: write` is unavailable - `workflow_dispatch` added for on-demand scans - `queries: security-and-quality` on all jobs — reference examples only use default security queries, missing code quality coverage - Workflow-level `concurrency` with `cancel-in-progress: true` prevents redundant queued runs on rapid pushes ## Per-language build modes | Language | Build mode | Notes | |---|---|---| | Python | `none` | Interpreted; no build needed | | JavaScript/TypeScript | `none` | Source-only analysis; compilation is handled by the validation workflow | | C# | `none` | Source-only analysis; compilation is handled by the validation workflow | | Go | `autobuild` | Works with module-per-sample layout | ## Repository setup required 1. **Branch protection** (Settings → Branches → `main`): add `Analyze Samples / Analyze Python Samples`, `Analyze Samples / Analyze JavaScript/TypeScript Samples`, `Analyze Samples / Analyze .NET Samples`, `Analyze Samples / Analyze Go Samples` as required status checks after the first workflow run 2. **Alert thresholds** (Settings → Code security → Code scanning): configure High/Critical to block PRs 3. **Private repos only**: GitHub Advanced Security must be enabled; public repos get this free ## Extending for future languages Add a new job when `java/` directories land — `java-kotlin` with `build-mode: none`.  --- 💬 Send tasks to Copilot coding agent from [Slack](https://gh.io/cca-slack-docs) and [Teams](https://gh.io/cca-teams-docs) to turn conversations into code. Copilot posts an update in your thread when it's finished. --------- Signed-off-by: Sidney Andrews <sidandrews@microsoft.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: seesharprun <5067401+seesharprun@users.noreply.github.com> Co-authored-by: Sidney Andrews <sidandrews@microsoft.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,107 @@
+name: Analyze Samples
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+  schedule:
+    - cron: '30 4 * * 2'
+  workflow_dispatch:
+
+concurrency:
+  group: codeql-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  analyze-python:
+    name: Analyze Python Samples
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: python
+          build-mode: none
+          queries: security-and-quality
+      - name: Perform CodeQL Analysis
+        if: github.repository == 'AzureCosmosDB/samples'
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:python"
+
+  analyze-javascript:
+    name: Analyze JavaScript/TypeScript Samples
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: javascript-typescript
+          build-mode: none
+          queries: security-and-quality
+      - name: Perform CodeQL Analysis
+        if: github.repository == 'AzureCosmosDB/samples'
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:javascript-typescript"
+
+  analyze-dotnet:
+    name: Analyze .NET Samples
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: csharp
+          build-mode: none
+          queries: security-and-quality
+      - name: Perform CodeQL Analysis
+        if: github.repository == 'AzureCosmosDB/samples'
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:csharp"
+
+  analyze-go:
+    name: Analyze Go Samples
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: go
+          build-mode: autobuild
+          queries: security-and-quality
+      - name: Perform CodeQL Analysis
+        if: github.repository == 'AzureCosmosDB/samples'
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:go"
