ci: remove CodeQL code-scanning workflow#27
Conversation
Drop the weekly/push-to-main CodeQL Rust analysis. Removing it stops the scheduled + on-push runs and no new alerts will be produced going forward. Note: this only removes the advanced (workflow-based) setup. If GitHub's 'default' CodeQL setup is also enabled for the repo, or code-scanning is required by a branch-protection/org policy, that must be turned off in Settings > Code security separately.
|
Claude finished @bdimitrov-netzine's task in 54s —— View job PR Review
SummaryThis PR cleanly removes the CodeQL workflow. The deletion is technically correct — no other files in the repo reference CodeQL, so this is a pure, self-contained removal with no dangling references. What's being lostThe deleted workflow was well-crafted:
After merge, the GitHub Security → Code Scanning tab will retain historical alerts but no new findings will be generated from this workflow. Considerations
VerdictThe change is technically sound and complete. The main question is intentionality around security coverage: is there a replacement SAST strategy, or is this a deliberate decision to drop automated code scanning? If the latter, documenting that rationale (e.g., in a commit message or team decision log) would be worthwhile. No blocking issues — approve if the team is intentionally moving away from CodeQL. |
Security Scan - CodeSeverity: HIGH, CRITICAL No vulnerabilities found View scan results |
Removes
.github/workflows/codeql.yml(the weekly + push-to-main CodeQL Rust analysis).After merge, no new CodeQL runs or alerts will be produced from this workflow.
Heads up: this only removes the advanced (workflow-based) setup. If GitHub's default CodeQL setup is enabled for the repo, or code-scanning is required by a branch-protection / org security policy, that must be disabled separately under Settings → Code security.