Exclude .vscode-test/** from OneBranch SDL/CodeQL scans (#5457)

* Exclude .vscode-test/** from OneBranch SDL/CodeQL scans

The @vscode/test-electron package downloads VS Code Insiders binaries
into .vscode-test/ at test time for extension integration tests. This
directory is already in .gitignore but is present on disk when the
OneBranch async SDL scanner runs after 'Invoke-Build Test'.

The CodeQL SM04514 'Weak hashes' alert (S360/ADO #35101062) fires
against VS Code's own cliProcessMain.js inside this directory — code
that the PowerShell team has no ownership of or ability to fix.

Adding ob_sdl_codeql_pathsToExclude prevents future false-positive
alerts from third-party VS Code binary artifacts.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Update comment for CodeQL scan exclusions

Clarified comment regarding exclusion of VS Code test binaries from CodeQL scans.

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: TravisEz13

.pipelines/vscode-powershell-OneBranch.yml

@@ -70,6 +70,10 @@ extends:
             variables:
               ob_outputDirectory: $(Build.SourcesDirectory)/out
               ob_sdl_codeSignValidation_excludes: -|**\*.js # Node.js JavaScript signatures are not supported
+              # Exclude downloaded VS Code test binaries from CodeQL scans.
+              # .vscode-test/ is populated at test-time by @vscode/test-electron with VS Code
+              # Insiders binaries; it is already .gitignore'd but is present during SDL scans.
+              ob_sdl_codeql_pathsToExclude: .vscode-test/**
             steps:
               - pwsh: |
                   $version = (Get-Content -Raw -Path package.json | ConvertFrom-Json).version