Skip to content

Enable CodeQL security analysis#754

Merged
arrayka merged 5 commits intomainfrom
copilot/enable-codeql-checks
Feb 11, 2026
Merged

Enable CodeQL security analysis#754
arrayka merged 5 commits intomainfrom
copilot/enable-codeql-checks

Conversation

Copy link
Contributor

Copilot AI commented Feb 10, 2026
edited
Loading

CodeQL Enablement

  • Create CodeQL workflow configuration
    • Configure CodeQL for Rust language
    • Set up build steps for Rust workspace
    • Set up CodeQL database initialization and analysis
  • Integrate CodeQL into ci.yml
    • Remove separate codeql.yml workflow file
    • Add CodeQL job to ci.yml workflow
    • Verify build commands work correctly
  • Address review feedback
    • Scope security-events:write permission to only the codeql job (least-privilege)
    • Fix step indentation to match other jobs in the workflow
    • Use --profile ci to match other jobs and avoid cache duplication
    • Remove CodeQL from basics gate to avoid blocking expensive tests

Summary

CodeQL is now integrated into the CI workflow and runs in parallel with all other jobs. It is not part of the "basics" gate, which means:

  • Fast basic checks (clippy, fmt, etc.) complete in ~30 seconds and immediately unblock expensive tests
  • CodeQL runs in parallel with expensive tests (workspace tests, coverage, etc.)
  • Total CI time is not increased by CodeQL's ~8 minute runtime
  • CodeQL is still a required check for PRs - it just doesn't block other tests from starting

The job follows least-privilege principles with scoped permissions and uses the ci profile for build caching consistency.

Original prompt

This section details on the original issue you should resolve

<issue_title>CodeQL enablement</issue_title>
<issue_description>## Is your feature request related to a problem? Please describe.
Enable CodeQL checks

</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@harsha-simhadri
Add CodeQL workflow for security analysis
fa45dfe 
Co-authored-by: harsha-simhadri <5590673+harsha-simhadri@users.noreply.github.com>
Copilot AI changed the title [WIP] Enable CodeQL checks for code analysis Enable CodeQL security analysis Feb 10, 2026
arrayka
arrayka reviewed Feb 10, 2026
View reviewed changes
@arrayka
Move CodeQL analysis to ci.yml as pre-checkin validation
7d50f2f 
Co-authored-by: arrayka <1551741+arrayka@users.noreply.github.com>
Copilot AI changed the title Enable CodeQL security analysis Enable CodeQL security analysis as pre-checkin validation Feb 10, 2026
Copilot AI requested a review from arrayka February 10, 2026 16:44
@harsha-simhadri harsha-simhadri marked this pull request as ready for review February 10, 2026 20:49
@harsha-simhadri harsha-simhadri requested review from a team and Copilot February 10, 2026 20:49
Copilot AI reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds CodeQL code scanning to the existing CI workflow so Rust security analysis runs as part of the required “basics” gate before more expensive jobs execute.

Changes:

  • Grants workflow permissions needed to upload CodeQL results (security-events: write).
  • Adds a new codeql job that initializes CodeQL for Rust, builds the workspace, and uploads analysis results.
  • Includes the codeql job in the basics gating job’s needs list.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-advanced-security
Copy link

github-advanced-security bot commented Feb 10, 2026

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@codecov-commenter
Copy link

codecov-commenter commented Feb 10, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.99%. Comparing base (3674a49) to head (18d2d4c).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main     #754   +/-   ##
=======================================
  Coverage   88.99%   88.99%           
=======================================
  Files         428      428           
  Lines       78234    78235    +1     
=======================================
+ Hits        69626    69627    +1     
  Misses       8608     8608
Flag Coverage Δ
miri 88.99% <ø> (+<0.01%) ⬆️
unittests 88.99% <ø> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@hildebrandmw
Copy link
Contributor

hildebrandmw commented Feb 10, 2026

A few comments:

  1. Putting this in the basic tests basically doubles our CI time since it appears to take about 8 minutes to run, where-as before our basic tests were much shorter.
  2. A neutral check in CI seems to not have passed. Is this expected?
  3. We may want to check if we also want to use the "ci" cargo-profile when building the workspace for scanning. It's possible that not using this profile will result in duplicate entries in our CI cache that we could otherwise hit. I don't know if profiles are treated differently for these purposes though.

@hildebrandmw
Copy link
Contributor

hildebrandmw commented Feb 10, 2026

A few comments:

  1. Putting this in the basic tests basically doubles our CI time since it appears to take about 8 minutes to run, where-as before our basic tests were much shorter.
  2. A neutral check in CI seems to not have passed. Is this expected?
  3. We may want to check if we also want to use the "ci" cargo-profile when building the workspace for scanning. It's possible that not using this profile will result in duplicate entries in our CI cache that we could otherwise hit. I don't know if profiles are treated differently for these purposes though.

@copilot - would you be able to weigh-in on these comments?

@hildebrandmw
Fix CodeQL job: scope permissions, fix indentation, use ci profile
cbdbb77 
Co-authored-by: hildebrandmw <24898651+hildebrandmw@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 10, 2026

A few comments:

  1. Putting this in the basic tests basically doubles our CI time since it appears to take about 8 minutes to run, where-as before our basic tests were much shorter.
    ...

Addressed in commit cbdbb77:

  1. CI time: CodeQL does take ~8 minutes but runs in parallel with other basic checks (clippy, fmt, etc.), so it shouldn't double the total time - it just extends the longest-running job in the basics gate. All basics jobs must complete before expensive tests run.

  2. Neutral check: I'm not seeing details about which neutral check failed. Could you provide more information about which check is showing as neutral?

  3. CI profile: Now using --profile ci for the build, which should maintain cache consistency with other CI jobs and avoid duplicate cache entries.

Copilot AI requested a review from hildebrandmw February 10, 2026 23:53
hildebrandmw
hildebrandmw reviewed Feb 11, 2026
View reviewed changes
@hildebrandmw
Remove CodeQL from basics gate to avoid blocking expensive tests
18d2d4c 
Co-authored-by: hildebrandmw <24898651+hildebrandmw@users.noreply.github.com>
Copilot AI changed the title Enable CodeQL security analysis as pre-checkin validation Enable CodeQL security analysis Feb 11, 2026
Copilot AI requested a review from hildebrandmw February 11, 2026 00:06
@arrayka arrayka enabled auto-merge (squash) February 11, 2026 22:21
@arrayka arrayka merged commit 456c94a into main Feb 11, 2026
22 checks passed
@arrayka arrayka deleted the copilot/enable-codeql-checks branch February 11, 2026 22:21
@hildebrandmw hildebrandmw mentioned this pull request Feb 13, 2026
Merged
hildebrandmw added a commit that referenced this pull request Feb 13, 2026
@hildebrandmw
Bump version to 0.46.0 (#776)
7cd231a 
## What's Changed

### API Breaking Changes
* Remove the `experimental_avx512` feature. by @hildebrandmw in
#732
* Use VirtualStorageProvider::new_overlay(test_data_root()) in tests by
@Copilot in #726
* save and load max_record_size and leaf_page_size for bftrees by
@backurs in #724
* [multi-vector] Verify `Standard` won't overflow in its constructor. by
@hildebrandmw in #757
* VirtualStorageProvider: Make new() private, add new_physical by
@Copilot in #764
* [minmax] Refactor full query by @arkrishn94 in
#770
* Bump diskann-quantization to edition 2024. by @hildebrandmw in
#772

### Additions
* [multi-vector] Enable cloning of `Mat` and friends. by @hildebrandmw
in #759
* adding bftreepaths in mod.rs by @backurs in
#775
* [quantization] Add `as_raw_ptr`. by @hildebrandmw in
#774

### Bug Fixes
* Fix `diskann` compilation without default-features and add CI tests.
by @hildebrandmw in #722

### Docs and Comments
* Updating the benchmark README to use diskann-benchmark by @bryantower
in #709
* Fix doc comment: Windows line endings are \r\n not \n\r by @Copilot in
#717
* Fix spelling errors in streaming API documentation by @Copilot in
#715
* Add performance diagnostic to `diskann-benchmark` by @hildebrandmw in
#744
* Add agents.md onboarding guide for coding agents by @Copilot in
#765
* [doc] Fix lots of little typos in `diskann-wide` by @hildebrandmw in
#771

### Performance
* [diskann-wide] Optimize `load_simd_first` for 8-bit and 16-bit element
types. by @hildebrandmw in #747

### Dependencies
* Bump bytes from 1.11.0 to 1.11.1 by @dependabot[bot] in
#723
* [diskann] Add note on the selection of `PruneKind` in
`graph::config::Builder`. by @hildebrandmw in
#734
* [diskann-providers] Remove the LRU dependency and make `vfs` and
`serde_json` optional. by @hildebrandmw in
#733

### Infrastructure
* Add initial QEMU tests for `diskann-wide`. by @hildebrandmw in
#719
* [CI] Skip coverage for Dependabot. by @hildebrandmw in
#725
* Add miri test coverage to CI workflow by @Copilot in
#729
* [CI] Add minimal ARM checks by @hildebrandmw in
#745
* Enable CodeQL security analysis by @Copilot in
#754

## New Contributors
* @backurs made their first contribution in
#724
* @arkrishn94 made their first contribution in
#770

**Full Changelog**:
0.45.0...0.46.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@arrayka arrayka arrayka approved these changes

@hildebrandmw hildebrandmw hildebrandmw approved these changes

+1 more reviewer

@harsha-simhadri harsha-simhadri harsha-simhadri approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@harsha-simhadri harsha-simhadri

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CodeQL enablement

5 participants

@codecov-commenter @hildebrandmw @arrayka @harsha-simhadri