This page documents the two automated security scanning workflows that run against the TypeScript repository: the CodeQL static analysis workflow and the OpenSSF Scorecard supply-chain security workflow. Both upload results in SARIF format to GitHub's code scanning dashboard.
For information about the broader CI pipeline and its other jobs, see 13.1. For code quality tooling such as formatting and coverage, see 11.1 and 11.2.
The repository runs two distinct but complementary security workflows:
| Workflow file | Name | Purpose |
|---|---|---|
.github/workflows/codeql.yml | Code Scanning - Action | Static analysis of source code for security vulnerabilities |
.github/workflows/scorecard.yml | Scorecard supply-chain security | Supply-chain risk assessment against OpenSSF criteria |
Both workflows write their findings to the GitHub code scanning dashboard via the SARIF upload mechanism. Neither workflow is part of the required gate for merging pull requests (see page 13.1 for the required job list).
CodeQL scans the TypeScript source code for common security vulnerability patterns. The workflow initializes the CodeQL analysis tools, attempts to autobuild the project, and then runs the analysis. Results are uploaded directly to GitHub's security tab.
.github/workflows/codeql.yml3-22
| Event | Condition |
|---|---|
push | Branches matching main or release-* |
pull_request | Targeting main or release-* |
schedule | Weekly, Sundays at 01:30 UTC (30 1 * * 0) |
The job also includes a runtime guard: if: github.repository == 'microsoft/TypeScript', which prevents the workflow from running on forks. .github/workflows/codeql.yml37
.github/workflows/codeql.yml24-26
The workflow declares contents: read at the top level, and the CodeQL-Build job elevates to security-events: write to permit uploading scan results to GitHub's code scanning dashboard.
permissions (top-level): contents: read
permissions (CodeQL-Build job): security-events: write
Workflow: .github/workflows/codeql.yml, job: CodeQL-Build
Sources: .github/workflows/codeql.yml43-73
| Step | Action | Notes |
|---|---|---|
| Checkout repository | actions/checkout | Pinned to commit hash |
| Initialize CodeQL | github/codeql-action/init | Reads .github/codeql/codeql-configuration.yml |
| Autobuild | github/codeql-action/autobuild | Attempts automatic build detection |
| Perform Analysis | github/codeql-action/analyze | Uploads results to code scanning dashboard |
The CodeQL initialization step references .github/codeql/codeql-configuration.yml via the config-file input. .github/workflows/codeql.yml51 This file controls which query suites are run, which paths to include or exclude, and any custom queries. The languages analyzed are determined by CodeQL's auto-detection unless overridden in the config file.
All three CodeQL action steps are pinned to the same commit hash (9e907b5e64f6b83e7804b09294d44122997950d6, tagged v4.32.3). .github/workflows/codeql.yml49-73 This is consistent with the repository's supply-chain hardening approach of pinning all third-party actions to immutable commit SHAs rather than mutable version tags.
The Scorecard workflow runs the OpenSSF scorecard-action against the repository to evaluate supply-chain security posture across a set of standardized checks. Results are published to the OpenSSF REST API (enabling a public badge), stored as a SARIF artifact, and uploaded to GitHub's code scanning dashboard.
.github/workflows/scorecard.yml8-16
| Event | Condition |
|---|---|
branch_protection_rule | Any change to branch protection rules (supports the Branch-Protection Scorecard check) |
push | Branch main only |
schedule | Weekly, Thursdays at 15:19 UTC (19 15 * * 4) |
The scheduled run ensures the Maintained Scorecard check is periodically refreshed even when there is no push activity.
.github/workflows/scorecard.yml17-29
The workflow defaults to permissions: read-all. The analysis job then explicitly grants:
| Permission | Purpose |
|---|---|
security-events: write | Upload SARIF results to code scanning dashboard |
id-token: write | Publish results to OpenSSF REST API |
Workflow: .github/workflows/scorecard.yml, job: analysis
Sources: .github/workflows/scorecard.yml30-60
| Step | Action | Notes |
|---|---|---|
| Checkout | actions/checkout | persist-credentials: false to avoid token leakage |
| Run analysis | ossf/scorecard-action | Outputs results.sarif; publish_results: true |
| Upload artifact | actions/upload-artifact | Retains SARIF for 5 days |
| Upload to code scanning | github/codeql-action/upload-sarif | Makes results visible in GitHub Security tab |
The OpenSSF Scorecard evaluates a set of checks related to supply-chain security. Based on the workflow triggers, the following checks are explicitly supported:
| Scorecard Check | Supported By |
|---|---|
Branch-Protection | branch_protection_rule trigger |
Maintained | Weekly schedule trigger |
| Token permissions, pinned dependencies, etc. | Evaluated on every run |
Both workflows share a common reporting path: results are converted to or produced as SARIF (Static Analysis Results Interchange Format) and uploaded to GitHub's code scanning dashboard using github/codeql-action/upload-sarif.
Sources: .github/workflows/codeql.yml72-73 .github/workflows/scorecard.yml56-60
The following diagram maps the two workflow files to their key action dependencies and output destinations.
Sources: .github/workflows/codeql.yml1-73 .github/workflows/scorecard.yml1-60
Both workflows follow the same action-pinning convention used throughout the repository: every uses: directive specifies a full commit SHA alongside a human-readable version comment, rather than a mutable version tag. For example:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 .github/workflows/codeql.yml45ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 .github/workflows/scorecard.yml37The Scorecard workflow additionally sets persist-credentials: false on checkout .github/workflows/scorecard.yml34 and defaults all workflow permissions to read-all .github/workflows/scorecard.yml18 which are both recommended practices by the OpenSSF Scorecard Token-Permissions check.
Refresh this wiki
This wiki was recently refreshed. Please wait 4 days to refresh again.