Skip to content

ci: replace CodeQL default setup with Semgrep#16

Merged
DrWheelicus merged 3 commits intomainfrom
ci/replace-codeql-with-semgrep
Apr 8, 2026
Merged

ci: replace CodeQL default setup with Semgrep#16
DrWheelicus merged 3 commits intomainfrom
ci/replace-codeql-with-semgrep

Conversation

@DrWheelicus
Copy link
Copy Markdown
Owner

@DrWheelicus DrWheelicus commented Apr 8, 2026
edited
Loading

Pull Request

What Changed

Replace CodeQL's GitHub-managed "default setup" with a Semgrep CE workflow. The default setup skips Dependabot PRs entirely (checks complete instantly as NEUTRAL), which blocks merging when those checks are required. Semgrep runs as a normal workflow file and triggers on all pull_request events including Dependabot.

Also updated the "Required status checks" ruleset to require Scan (Semgrep) instead of Analyze (javascript-typescript) and Analyze (actions) (CodeQL), and disabled the CodeQL default setup via the API.

Additionally, added synchronize to the PR title lint workflow's event types so the check re-runs on every push, not only on open/edit/reopen.

Type of Change

  • CI/CD or tooling

Related Issues

N/A

Validation

  • npm run lint
  • npm run typecheck
  • npm test
  • npm run build

(No source code changes -- CI-only change.)

Behavior and Risk

  • User-visible behavior: None -- CI pipeline change only
  • Backward compatibility impact: None
  • Security implications: Semgrep CE replaces CodeQL for static analysis. p/default covers high-confidence JS/TS security rules; p/github-actions covers workflow injection and secrets inheritance checks. Scan time drops from ~2-3 min to ~10 seconds.

Screenshots / Logs (if applicable)

N/A

Checklist

  • I followed CONTRIBUTING.md
  • I kept changes focused and minimal
  • I did not include secrets, tokens, or sensitive data
  • I added/updated tests where appropriate
  • I updated docs when behavior changed

@DrWheelicus
ci: replace CodeQL default setup with Semgrep
149caf9 
CodeQL's GitHub-managed default setup skips Dependabot PRs entirely,
causing required status checks to never run. Replace it with a Semgrep
CE workflow that triggers normally on all pull_request events.

- p/default: curated high-confidence JS/TS security rules
- p/github-actions: command injection and secrets inheritance checks
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 8, 2026
edited
Loading

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 52.77% 419 / 794
🔵 Statements 52.77% (🎯 30%) 419 / 794
🔵 Functions 75% 36 / 48
🔵 Branches 70.65% 65 / 92
File CoverageNo changed files found.
Generated in workflow #53 for commit 594299e by the Vitest Coverage Report Action

@DrWheelicus DrWheelicus force-pushed the ci/replace-codeql-with-semgrep branch 2 times, most recently from 149caf9 to 235bc56 Compare April 8, 2026 18:03
@DrWheelicus
ci: re-run PR title lint on every push
5c0e19c 
Add the synchronize event type so the check appears alongside
every new batch of status checks, not only on open/edit/reopen.
@DrWheelicus DrWheelicus force-pushed the ci/replace-codeql-with-semgrep branch from 235bc56 to 5c0e19c Compare April 8, 2026 18:07
@DrWheelicus DrWheelicus merged commit c8ec2b1 into main Apr 8, 2026
11 checks passed
@DrWheelicus DrWheelicus deleted the ci/replace-codeql-with-semgrep branch April 8, 2026 18:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DrWheelicus