Exclude .vscode-test/** from OneBranch SDL/CodeQL scans#5457
Merged
andyleejordan merged 2 commits intomainfrom Apr 8, 2026
Merged
Exclude .vscode-test/** from OneBranch SDL/CodeQL scans#5457andyleejordan merged 2 commits intomainfrom
andyleejordan merged 2 commits intomainfrom
Conversation
The @vscode/test-electron package downloads VS Code Insiders binaries into .vscode-test/ at test time for extension integration tests. This directory is already in .gitignore but is present on disk when the OneBranch async SDL scanner runs after 'Invoke-Build Test'. The CodeQL SM04514 'Weak hashes' alert (S360/ADO #35101062) fires against VS Code's own cliProcessMain.js inside this directory — code that the PowerShell team has no ownership of or ability to fix. Adding ob_sdl_codeql_pathsToExclude prevents future false-positive alerts from third-party VS Code binary artifacts. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Clarified comment regarding exclusion of VS Code test binaries from CodeQL scans.
Member
|
@TravisEz13 the OneBranch team promised months ago that they would exlcude that folder by default, since it's not us it's the VS Code team's test package. I'll take this, but it is frustrating they didn't follow through. |
There was a problem hiding this comment.
Pull request overview
Updates the OneBranch pipeline configuration to prevent CodeQL from scanning the locally-downloaded VS Code Insiders test binaries under .vscode-test/, avoiding an SDL false-positive.
Changes:
- Adds an
ob_sdl_codeql_pathsToExcludevariable to exclude.vscode-test/**from CodeQL analysis. - Documents why the exclusion is needed (directory is populated by
@vscode/test-electronduring test execution and is not project-owned source).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This pull request makes a small update to the pipeline configuration to improve security scan accuracy. It excludes the
.vscode-test/directory—where VS Code Insiders binaries are downloaded for testing—from CodeQL scans, preventing false positives and unnecessary scan noise..pipelines/vscode-powershell-OneBranch.yml: Added.vscode-test/**to theob_sdl_codeql_pathsToExcludevariable to exclude test binaries from CodeQL scans.Root Cause
The @vscode/test-electron\ package downloads VS Code Insiders binaries into .vscode-test/\ when \Invoke-Build Test\ runs during the OneBranch pipeline. The directory is already in .gitignore\ but is present on disk when the async SDL/CodeQL scanner runs after the test step.
The CodeQL SM04514 'Weak hashes' alert fires against \cliProcessMain.js\ inside .vscode-test/vscode-win32-x64-archive-insiders/resources/app/out/vs/code/node/\ — this is VS Code's own bundled JavaScript, not PowerShell code. The PowerShell team has no ownership of or ability to fix hash usage inside VS Code's CLI runtime.
Fix
Adds \ob_sdl_codeql_pathsToExclude: .vscode-test/**\ to the OneBranch job variables, preventing the CodeQL scanner from analyzing downloaded VS Code test binaries.
Why this is safe