Workflow status is tracked in GitHub: https://github.com/emulebb/emulebb/issues/113. This local document is retained as an engineering spec/evidence record.
CI-049 - Enable CodeQL code scanning for the app repository¶
Summary¶
Enable GitHub CodeQL code scanning for the app repository using a low-cost workflow that can run on public GitHub-hosted runners without invoking the full workspace build or live test infrastructure.
Intended Shape¶
- Add a dedicated CodeQL workflow for C/C++ sources.
- Use path filters so the workflow runs only for app source or workflow changes.
- Use weekly scheduled analysis plus manual dispatch.
- Keep permissions narrow: read repository contents and write code-scanning security events.
- Start with
build-mode: noneto keep the first pass cheap and independent from hosted Visual Studio/MFC setup.
Scope Constraints¶
- Do not run Hyper-V, live E2E, or release-campaign work from CodeQL.
- Do not make CodeQL a replacement for native builds or release proof.
- Do not require paid GitHub runner capacity for the first pass.
- Treat a future traced-build CodeQL mode as a separate hardening step.
Acceptance Criteria¶
- [ ] A CodeQL workflow exists in the app repository.
- [ ] The workflow analyzes C/C++ code with narrow permissions.
- [ ] The workflow is path-filtered and has concurrency cancellation.
- [ ] The workflow can be manually dispatched.
- [ ] The first run publishes code-scanning results or exposes actionable setup diagnostics.
Validation¶
- workflow syntax review
- first GitHub Actions run after push
- review initial CodeQL alerts and tune suppressions only with concrete evidence