ci: scan actions with codeql and add bicep linter config#10
Conversation
The repo is Bicep and docs with no JavaScript, so the CodeQL matrix targeted a language that does not exist here. Switch the language from 'javascript' to 'actions' so CodeQL scans the GitHub Actions workflows, which are the meaningful analyzable surface. Add a root bicepconfig.json with production linter defaults so the landing-zone Bicep under impl/azure/landing-zone is linted consistently with the rest of the portfolio: core analyzers enabled, secret/security rules at error, style/correctness rules at warning, no-hardcoded-env-urls at error, and use-recent-api-versions disabled to avoid churn. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: fd59563beb
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| fail-fast: false | ||
| matrix: | ||
| language: [ 'javascript' ] | ||
| language: [ 'actions' ] |
There was a problem hiding this comment.
Keep JavaScript in the CodeQL language matrix
Because this repo does include runtime JavaScript (docs/assets/app.js), replacing javascript with only actions stops CodeQL from scanning that file. GitHub's CodeQL workflow docs list GitHub Actions (actions) and JavaScript/TypeScript (javascript-typescript, alias javascript) as separate language identifiers, so this extends workflow coverage only by dropping the existing JS coverage; include both entries if the intent is to scan Actions too.
Useful? React with 👍 / 👎.
Summary
Fixes the CodeQL configuration to match the repo's actual analyzable surface and adds a Bicep linter config.
1. CodeQL language (
.github/workflows/codeql.yml)javascript, but this repo is Bicep + Markdown docs with no JavaScript, so CodeQL had nothing to analyze.actions, so CodeQL scans the GitHub Actions workflows — the meaningful analyzable code in this repo.2. Bicep linter config (
bicepconfig.json)bicepconfig.json(the filename Bicep actually recognizes) so the landing-zone templates underimpl/azure/landing-zone/bicep/are linted consistently with the rest of the portfolio.cas-platform: core analyzers enabled, secret/security rules aterror(incl.no-hardcoded-env-urls,adminusername-should-not-be-literal,outputs-should-not-contain-secrets,secure-parameter-default), style/correctness rules atwarning,use-recent-api-versionsset tooff.Validation
az bicep build(Bicep CLI 0.40.2) onimpl/azure/landing-zone/bicep/main.bicepwith the new config: exit 0, no linter warnings or errors.yaml.safe_loadparse.Rollback / change safety
bicepconfig.jsononly affects linting, not deployed resources.🤖 Generated with Claude Code