Skip to content

Add security workflows pre-commit hooks, dependency review, CodeQL#202

Merged
rahuldevikar761 merged 3 commits intomainfrom
users/radevika/add-security-workflows
Feb 10, 2026
Merged

Add security workflows pre-commit hooks, dependency review, CodeQL#202
rahuldevikar761 merged 3 commits intomainfrom
users/radevika/add-security-workflows

Conversation

@rahuldevikar761
Copy link
Collaborator

@rahuldevikar761 rahuldevikar761 commented Feb 10, 2026

No description provided.

@rahuldevikar761 rahuldevikar761 requested a review from a team as a code owner February 10, 2026 04:32
Copilot AI review requested due to automatic review settings February 10, 2026 04:32
@github-actions
Copy link

github-actions bot commented Feb 10, 2026
edited
Loading

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/checkout 4.*.* 🟢 6.5
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 57 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
Vulnerabilities🟢 82 existing vulnerabilities detected
SAST🟢 8SAST tool detected but not run on all commits
actions/actions/dependency-review-action 4.*.* 🟢 7.5
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 810 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 8
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Security-Policy🟢 9security policy file detected
Packaging⚠️ -1packaging workflow not detected
Token-Permissions🟢 9detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
SAST🟢 10SAST tool is run on all commits
Vulnerabilities🟢 73 existing vulnerabilities detected

Scanned Files

  • .github/workflows/dependency-review.yml

Copilot AI reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds baseline security automation to the repo via local pre-commit hooks and GitHub Actions workflows, aiming to catch secrets, vulnerable dependencies, and CodeQL findings earlier in the development lifecycle.

Changes:

  • Add a .pre-commit-config.yaml with Gitleaks, whitespace/YAML/JSON/XML checks, and a dotnet format verification hook.
  • Add a Dependency Review workflow to block PRs introducing high-severity vulnerable dependencies and disallowed licenses.
  • Add a CodeQL workflow for scheduled and PR/push C# analysis.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
.pre-commit-config.yaml Introduces local hooks for secret scanning, file hygiene checks, and .NET formatting verification.
.github/workflows/dependency-review.yml Adds PR-time dependency vulnerability and license policy checks.
.github/workflows/codeql.yml Adds CodeQL scanning for C# on PRs, pushes to main, and a weekly schedule.

Copilot AI review requested due to automatic review settings February 10, 2026 05:12
@rahuldevikar761 rahuldevikar761 force-pushed the users/radevika/add-security-workflows branch from f8dd772 to 91817ee Compare February 10, 2026 05:12
Copilot AI reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

@rahuldevikar761 rahuldevikar761 enabled auto-merge (squash) February 10, 2026 18:14
@rahuldevikar761 rahuldevikar761 merged commit ed4304b into main Feb 10, 2026
7 checks passed
@rahuldevikar761 rahuldevikar761 deleted the users/radevika/add-security-workflows branch February 10, 2026 23:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pontemonti pontemonti pontemonti approved these changes

@tmlsousa tmlsousa tmlsousa approved these changes

+1 more reviewer

@JosinaJoy JosinaJoy JosinaJoy approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@rahuldevikar761 @pontemonti @JosinaJoy @tmlsousa