Skip to content

CodeQL: Fix 3140 code quality and security issues #19

New issue
New issue
Open
Open
CodeQL: Fix 3140 code quality and security issues#19
@jas88

Description

@jas88
jas88
opened on Oct 19, 2025

Summary

CodeQL analysis has detected 3,140 code quality and security issues. After initial analysis, many of these are spurious alerts from generated code (*.g.cs files, regex patterns, etc.) that cannot be meaningfully fixed. This issue focuses on addressing the actionable CodeQL findings that impact real code quality and security.

Issue Details

  • Total Issues Detected: 3,140
  • Estimated Actionable Issues: TBD (need analysis to filter out generated code)
  • Spurious Issues: Generated code (*.g.cs), auto-generated regex patterns, etc.
  • Real Impact: Need to filter and analyze actual code issues

Action Plan

Phase 1: Filtering and Analysis

  • Filter out CodeQL issues from generated files (*.g.cs, auto-generated code)
  • Identify which issues are in actual source code vs. generated artifacts
  • Categorize actionable issues by severity and type
  • Determine the real number of issues that need fixing

Phase 2: Address Real Issues (Priority-based)

  • Security Issues: Fix legitimate security vulnerabilities in source code
  • Code Quality: Address maintainability issues in hand-written code
  • Generated Code Noise: Configure CodeQL to ignore spurious generated code alerts
  • CI/CD Filtering: Update CodeQL configuration to exclude generated files

Phase 3: Configuration Improvements

  • Update .github/configs/codeql.yml to exclude generated file patterns
  • Add exclusions for:
    • *.g.cs files (generated source)
    • Auto-generated regex patterns
    • Template-generated code
    • Other known spurious alert sources
  • Validate that exclusions work and only real issues are reported

Phase 4: Fix Remaining Issues

  • Address remaining legitimate CodeQL findings
  • Focus on security-critical and high-impact issues
  • Improve code quality where practical

Success Criteria

  • CodeQL configured to ignore spurious generated code alerts
  • Only actionable source code issues are reported
  • Legitimate security and quality issues are addressed
  • CodeQL alerts reduced to meaningful, actionable items

Notes

  • Many CodeQL alerts are from generated code that cannot be meaningfully modified
  • Focus should be on filtering out noise rather than fixing every alert
  • Generated code exclusions are a legitimate and standard practice
  • Real issues are likely much fewer than 3,140 after filtering

Related Items

  • CodeQL workflow: .github/workflows/codeql.yml
  • CodeQL configuration: .github/configs/codeql.yml
  • Need to update CodeQL exclusions for generated file patterns

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions