Add CodeQL config to exclude .vscode-test/ from analysis (fixes S360 false positive)#5456
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a CodeQL analysis configuration intended to prevent CodeQL from scanning CI-downloaded VS Code test artifacts (not repo source), addressing an S360 false positive originating under .vscode-test/.
Changes:
- Add
.github/codeql/codeql-config.ymlwithpaths-ignoreentries for.vscode-test/and common build/dependency output directories.
.github/codeql/codeql-config.yml
Outdated
| - .vscode-test/ # Downloaded VS Code binaries for integration testing (in .gitignore) | ||
| - node_modules/ | ||
| - out/ | ||
| - dist/ |
There was a problem hiding this comment.
paths-ignore patterns here are very literal; using a bare directory with a trailing slash (e.g. .vscode-test/) may not match all nested files depending on the CodeQL runner’s path matching rules. Consider switching to an explicit glob like .vscode-test/** (and similarly node_modules/**, out/**, dist/**) to ensure everything under those directories is excluded.
| - .vscode-test/ # Downloaded VS Code binaries for integration testing (in .gitignore) | |
| - node_modules/ | |
| - out/ | |
| - dist/ | |
| - .vscode-test/** # Downloaded VS Code binaries for integration testing (in .gitignore) | |
| - node_modules/** | |
| - out/** | |
| - dist/** |
.github/codeql/codeql-config.yml
Outdated
| # CodeQL analysis configuration for vscode-powershell. | ||
| # Excludes runtime-downloaded artifacts that are not part of the repository source. | ||
| paths-ignore: | ||
| - .vscode-test/ # Downloaded VS Code binaries for integration testing (in .gitignore) |
There was a problem hiding this comment.
This repo already has a root CodeQL.yml that classifies .vscode-test as library. I couldn’t find any in-repo workflow/pipeline step explicitly pointing CodeQL at .github/codeql/codeql-config.yml; if the scanner you’re using doesn’t auto-discover this location, the new ignore list won’t take effect and the false positive will remain. Either (1) update the existing CodeQL.yml with the ignore config expected by your scanner, or (2) add/adjust the CodeQL invocation to reference this config file explicitly (and document which config file is authoritative).
The .vscode-test/ directory is populated at CI test runtime by the vscode-test npm package, which downloads a VS Code binary to run integration tests. This directory is already in .gitignore and contains third-party VS Code/extension code (not PowerShell source). S360/CodeQL was flagging CodeQL.SM04514 'Weak hashes' in: .vscode-test/.../ms-vscode.js-debug/src/bootloader.js That file belongs to the VS Code JavaScript Debugger extension (ms-vscode.js-debug), owned by the VS Code team. Adding a CodeQL paths-ignore config prevents the scanner from analyzing runtime artifacts that are outside PowerShell's ownership and control. Resolves: ADO #34872363 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
andyleejordan
force-pushed
the
fix/codeql-exclude-vscode-test
branch
from
c8e3362 to
19750cb
Compare
Summary
Adds a CodeQL analysis config to exclude .vscode-test/ from scanning.
Problem
S360/CodeQL was flagging CodeQL.SM04514 'Weak hashes' in:
.vscode-test/vscode-win32-x64-archive-insiders/resources/app/extensions/ms-vscode.js-debug/src/bootloader.jsThis file is not PowerShell source code:
The scanner is picking up runtime artifacts on the CI agent filesystem, not tracked source files.
Fix
Add .github/codeql/codeql-config.yml with paths-ignore to prevent CodeQL from analyzing downloaded test artifacts.
References