Add CodeQL code scanning workflow (Python, JavaScript/TypeScript, C#, Go)

[Copilot]

Adds CodeQL analysis to gate PRs and run on schedule across the languages present in the monorepo, using the Analyze Samples workflow (named to mirror the existing Validate Samples workflow).

Workflow design

• Separate jobs per language (analyze-python, analyze-javascript, analyze-dotnet, analyze-go) so each produces an independent status check that can be individually required in branch protection rules
• Job display names follow the same pattern as the validation workflow: Analyze Python Samples, Analyze JavaScript/TypeScript Samples, Analyze .NET Samples, Analyze Go Samples
• if: github.repository == 'AzureCosmosDB/samples' guard on the Perform CodeQL Analysis step (SARIF upload) ensures fork PRs complete the jobs successfully — satisfying required status checks — while the upload is skipped where security-events: write is unavailable
• workflow_dispatch added for on-demand scans
• queries: security-and-quality on all jobs — reference examples only use default security queries, missing code quality coverage
• Workflow-level concurrency with cancel-in-progress: true prevents redundant queued runs on rapid pushes

Per-language build modes

Language	Build mode	Notes
Python	none	Interpreted; no build needed
JavaScript/TypeScript	none	Source-only analysis; compilation is handled by the validation workflow
C#	none	Source-only analysis; compilation is handled by the validation workflow
Go	autobuild	Works with module-per-sample layout

Repository setup required

1. Branch protection (Settings → Branches → main): add Analyze Samples / Analyze Python Samples, Analyze Samples / Analyze JavaScript/TypeScript Samples, Analyze Samples / Analyze .NET Samples, Analyze Samples / Analyze Go Samples as required status checks after the first workflow run
2. Alert thresholds (Settings → Code security → Code scanning): configure High/Critical to block PRs
3. Private repos only: GitHub Advanced Security must be enabled; public repos get this free

Extending for future languages

Add a new job when java/ directories land — java-kotlin with build-mode: none.

---

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.

[seesharprun]

I only want to perform CodeQL analysis, I don't want to build since that's also handled in the validation workflow.

[Copilot]

I only want to perform CodeQL analysis, I don't want to build since that's also handled in the validation workflow.

Done in ab8f6a2. Removed the Set up .NET and Build .NET samples steps from the C# job and changed build-mode: manual → build-mode: none. All three jobs are now build-free: checkout → init CodeQL → analyze.

[seesharprun]

Update the name of each CodeQL workflow to be similar in structure to the name of the Validation Workflows.

Also, Add a CodeQL workflow for TypeScript.

[Copilot]

Update the name of each CodeQL workflow to be similar in structure to the name of the Validation Workflows.

Also, Add a CodeQL workflow for TypeScript.

Done in 3cf2239. Updated all job names to match the validation workflow pattern (Analyze Python Samples, Analyze JavaScript/TypeScript Samples, Analyze .NET Samples, Analyze Go Samples) and renamed the workflow itself to Analyze Samples. Also added the analyze-javascript job for JavaScript/TypeScript using languages: javascript-typescript and build-mode: none.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[Copilot]

Pull request overview

Adds a new GitHub Actions workflow to run CodeQL code scanning across the monorepo’s primary languages, intended to provide PR gating and scheduled security-and-quality analysis.

Changes:

• Introduces .github/workflows/codeql.yml with separate CodeQL jobs for Python, JavaScript/TypeScript, C#, and Go.
• Configures PR + push-to-main + scheduled + manual (workflow_dispatch) triggers.
• Uses security-and-quality query suite and per-language build modes.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[seesharprun]

@copilot, please recommend to me in a comment if it's better to have a single CodeQL job or a separate job per language

[Copilot]

@copilot, please recommend to me in a comment if it's better to have a single CodeQL job or a separate job per language

Recommendation: separate jobs per language — this is the better fit for this monorepo, and here's the reasoning:

Separate jobs (current approach) ✅

• Each job produces its own named status check (Analyze Samples / Analyze Python Samples, etc.), so you can require individual languages in branch protection independently — e.g. require Python and JS/TS but not Go if Go samples aren't security-sensitive.
• A failure in one language is immediately visible by name in the PR checks UI without drilling into logs.
• Mirrors the existing Validate Samples workflow pattern already established in this repo (validate-python, validate-javascript, validate-dotnet, validate-go), keeping the two workflows consistent and easy to reason about together.
• Each job can be individually re-run without rerunning all languages.
• Adding or removing a language in the future is a self-contained change (add/delete one job block).

Single matrix job

• Less YAML, but you lose per-language granularity in branch protection — you can only require the entire matrix or nothing.
• A single language failure in the matrix still blocks the whole check, giving no more actionability than separate jobs, but with less visibility.
• Harder to independently control build modes (Python none vs Go autobuild) cleanly in a single matrix.

Given that the PR description already calls out adding these as individual required status checks and that the validation workflow uses this same per-job pattern, I'd keep the current separate-jobs design.