githubgithub-actionscodeqlgithub-advanced-security

Todo comment violation not reported in github codeql code scanning


I am new to github advance security. I have create a Github repo and enabled Codeql scanning. And used queries: security-extended,security-and-quality in codeql.yml file. Still if I add a comment in any .cs file // TODO : something it is not reported in the codeql analysis. What could be wrong? Other violations are being reported such as Unused variable etc.

Repo File link: OneMoreClass.cs

Codeql.yml

Also, the dead code is not being reported from below file. Not sure if there is query/rule present for it.

Dead code: CarsController.cs


Solution

  • Since the TODO queries (ex: cs/todo-comment) are marked as @problem.severity recommendation they are excluded from the built-in security-and-quality suite. The mechanism that excludes these is a query selector that only looks for severity error OR warning. The attempts you were making to filter via the Configuration file wont apply since they are already excluded due to using the above suite. With the configuration file you can specify individual additional queries directly from a pack (built in or custom). I sent over a PR that shows how to pull in these queries directly from the built in packs using a CodeQL config file: https://github.com/yogeshrasam/RDCarRental/pull/6