Skip to content

ci: expand CodeQL SAST coverage to all active branches#2532

Open
BrendanWalsh wants to merge 1 commit intomasterfrom
openssf/improve-sast-coverage
Open

ci: expand CodeQL SAST coverage to all active branches#2532
BrendanWalsh wants to merge 1 commit intomasterfrom
openssf/improve-sast-coverage

Conversation

@BrendanWalsh
Copy link
Copy Markdown
Collaborator

@BrendanWalsh BrendanWalsh commented Mar 31, 2026

Summary

Expand CodeQL SAST workflow triggers to cover all active branches, not just master.

Changes

Added spark3.5, spark4.0, and spark4.1 to the on.push.branches and on.pull_request.branches triggers in .github/workflows/codeql.yml.

Motivation

The OpenSSF Scorecard SAST check currently scores 9/10 with the detail: "SAST tool detected but not run on all commits." This is because CodeQL only runs on pushes to master, missing commits merged directly to release branches.

By adding all active release branches to the push trigger, every commit to any important branch will be analyzed, improving the SAST score from 9 → 10.

Impact

  • Slightly increases GitHub Actions minutes (CodeQL runs on pushes to 3 additional branches)
  • No impact on build or test workflows
  • No code changes — workflow configuration only

@BrendanWalsh
ci: expand CodeQL SAST coverage to all active branches
ad54a3c 
Ensure CodeQL analysis runs on pushes to all active branches (master
and spark3.5) to satisfy OpenSSF Scorecard SAST check requirements.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings March 31, 2026 04:46
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 31, 2026

Hey @BrendanWalsh 👋!
Thank you so much for contributing to our repository 🙌.
Someone from SynapseML Team will be reviewing this pull request soon.

We use semantic commit messages to streamline the release process.
Before your pull request can be merged, you should make sure your first commit and PR title start with a semantic prefix.
This helps us to create release messages and credit you for your hard work!

Examples of commit messages with semantic prefixes:

  • fix: Fix LightGBM crashes with empty partitions
  • feat: Make HTTP on Spark back-offs configurable
  • docs: Update Spark Serving usage
  • build: Add codecov support
  • perf: improve LightGBM memory usage
  • refactor: make python code generation rely on classes
  • style: Remove nulls from CNTKModel
  • test: Add test coverage for CNTKModel

To test your commit locally, please follow our guild on building from source.
Check out the developer guide for additional guidance on testing your change.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 31, 2026

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA ad54a3c.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

None

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BrendanWalsh