Skip to content

Workflow status is tracked in GitHub: https://github.com/emulebb/emulebb/issues/113. This local document is retained as an engineering spec/evidence record.

CI-049 - Enable CodeQL code scanning for the app repository

Summary

Enable GitHub CodeQL code scanning for the app repository using a low-cost workflow that can run on public GitHub-hosted runners without invoking the full workspace build or live test infrastructure.

Intended Shape

  • Add a dedicated CodeQL workflow for C/C++ sources.
  • Use path filters so the workflow runs only for app source or workflow changes.
  • Use weekly scheduled analysis plus manual dispatch.
  • Keep permissions narrow: read repository contents and write code-scanning security events.
  • Start with build-mode: none to keep the first pass cheap and independent from hosted Visual Studio/MFC setup.

Scope Constraints

  • Do not run Hyper-V, live E2E, or release-campaign work from CodeQL.
  • Do not make CodeQL a replacement for native builds or release proof.
  • Do not require paid GitHub runner capacity for the first pass.
  • Treat a future traced-build CodeQL mode as a separate hardening step.

Acceptance Criteria

  • [ ] A CodeQL workflow exists in the app repository.
  • [ ] The workflow analyzes C/C++ code with narrow permissions.
  • [ ] The workflow is path-filtered and has concurrency cancellation.
  • [ ] The workflow can be manually dispatched.
  • [ ] The first run publishes code-scanning results or exposes actionable setup diagnostics.

Validation

  • workflow syntax review
  • first GitHub Actions run after push
  • review initial CodeQL alerts and tune suppressions only with concrete evidence