Skip to content

feat(ci): Add Python to CodeQL analysis language matrix #884

New issue
New issue
Closed
Task
#910
Closed
feat(ci): Add Python to CodeQL analysis language matrix#884
Task
#910
Assignees
WilliamBerryiii
Labels
infrastructureRepository infrastructure and toolingsecuritySecurity-related changes or concerns
Milestone
v3.2.0
@WilliamBerryiii

Description

@WilliamBerryiii
WilliamBerryiii
opened on Mar 5, 2026

Summary

The CodeQL analysis workflow currently scans only JavaScript/TypeScript. Adding python to the language matrix enables automated security vulnerability detection for all Python code in the repository, including the new PowerPoint automation skill from PR #868.

This is a HIGH priority change for OSSF Best Practices silver badge compliance: the static_analysis_common_vulnerabilities criterion requires static analysis tooling that covers all languages in the repository.

Context

CodeQL is already configured and running at .github/workflows/codeql-analysis.yml. The change involves adding python to the existing language matrix so CodeQL's Python analyzers activate automatically. GitHub's CodeQL action handles Python dependency resolution and will detect issues like injection vulnerabilities, insecure deserialization, path traversal, and hardcoded credentials.

Prior work in #634 (closed) identified the absence of Python CI pipelines as a medium-priority gap. This issue addresses the security scanning component.

Changes Required

File Change
.github/workflows/codeql-analysis.yml Add python to the language matrix array

Acceptance Criteria

  • python appears in the CodeQL workflow language matrix
  • CodeQL Python analysis runs successfully on PRs containing .py files
  • Existing JavaScript/TypeScript analysis continues to function
  • CodeQL results appear in the repository's Security tab for Python findings
  • No false-positive failures on the existing codebase

OSSF Impact

HIGH — Directly satisfies the static_analysis_common_vulnerabilities MUST criterion for OSSF Best Practices silver badge. Without Python in CodeQL, the repository cannot claim comprehensive static security analysis.

Dependencies

None. CodeQL infrastructure is already in place; this extends coverage to an additional language.

Related

Metadata

Metadata

Assignees

Labels

infrastructureRepository infrastructure and toolingsecuritySecurity-related changes or concerns

Type

Task

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions