SFI: enable C# CodeQL coverage#608
Merged
Merged
Conversation
… CodeQL tracer cannot override it
…lize in build.yaml owns C#)
… C#, attempt-scoped buildIdentifier)
Contributor
There was a problem hiding this comment.
Pull request overview
Restores end-to-end C# CodeQL database generation for AI Dev Gallery’s Azure DevOps CI/release pipelines by switching to an explicit CodeQL3000 init/finalize wrapping of the dotnet build script and enabling CodeQL via 1ES pipeline template SDL configuration.
Changes:
- Wraps the build script with
CodeQL3000Init@0/CodeQL3000Finalize@0to ensure the tracer attaches todotnet build. - Enables
sdl.codeqlin both CI and release pipelines (withcompiled.enabled: falseand a retry-uniquebuildIdentifier). - Updates the main app project file with
EmitCompilerGeneratedFilescontrols.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
AIDevGallery/AIDevGallery.csproj |
Adds project-level control over EmitCompilerGeneratedFiles behavior. |
.pipelines/templates/build.yaml |
Wraps dotnet build with explicit CodeQL3000 init/finalize tasks. |
.pipelines/ci.yml |
Enables CodeQL configuration via the 1ES SDL block for CI. |
.pipelines/release.yml |
Mirrors the CodeQL configuration for official release builds. |
…mpilerGeneratedFiles pin)
wang563681252
approved these changes
Jun 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Restore C# CodeQL coverage for
microsoft/ai-dev-galleryto clear the related SFI item.CodeQL3000 had been silently failing to produce a C# database. After merge, CI run produces and uploads a fresh C# CodeQL database via 1ES PT, replacing the previously-broken external CCA autobuilder path.
Fix
.pipelines/templates/build.yaml— Wrap the build step with explicitCodeQL3000Init@0/CodeQL3000Finalize@0so the tracer actually attaches to ourscript: dotnet build(auto-injector ignores bare scripts)..pipelines/ci.yml— Addsdl.codeqlblock: enable CodeQL, setcompiled.enabled: false(avoid duplicating our explicit pair), and setbuildIdentifier: 'Build_$(System.JobAttempt)'to keep cadence keys distinct across retries..pipelines/release.yml— Mirror the samesdl.codeqlblock. Also resolves the long-standing release attempt-1 CS0016 failure caused by tracer injection on the Official template.Verification
End-to-end validation on a verify branch:
codeql-verify, Language C#, BuildSourceCodeQL3000_1ESPT.