demaconsulting · Malcolmnixon · Jan 27, 2026 · Jan 27, 2026 · Jan 27, 2026 · Jan 27, 2026
diff --git a/.config/dotnet-tools.json b/.config/dotnet-tools.json
@@ -43,6 +43,12 @@
       "commands": [
         "sonarmark"
       ]
+    },
+    "demaconsulting.sarifmark": {
+      "version": "1.0.1",
+      "commands": [
+        "sarifmark"
+      ]
     }
   }
 }
diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml
@@ -0,0 +1,17 @@
+---
+# CodeQL configuration for TestResults
+# Excludes test code from path-combine security analysis
+# Excludes justified generic exception handlers
+
+name: "TestResults CodeQL Config"
+
+# Query filters to disable specific queries for certain paths
+query-filters:
+  - exclude:
+      id: cs/path-combine
+    paths:
+      - test/**/*.cs
+  - exclude:
+      id: cs/catch-of-all-exceptions
+    paths:
+      - src/DemaConsulting.TestResults/Program.cs
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -188,6 +188,8 @@ jobs:
         uses: github/codeql-action/init@v4
         with:
           languages: csharp
+          queries: security-and-quality
+          config-file: ./.github/codeql-config.yml
           build-mode: manual
 
       - name: Restore Tools
@@ -215,7 +217,7 @@ jobs:
       - name: Upload SARIF
         uses: actions/upload-artifact@v6
         with:
-          name: codeql-results
+          name: codeql-sarif
           path: sarif-results/csharp.sarif
 
   build-docs:
@@ -255,6 +257,12 @@ jobs:
           path: test-results
           merge-multiple: true
 
+      - name: Download CodeQL SARIF
+        uses: actions/download-artifact@v7
+        with:
+          name: codeql-sarif
+          path: codeql-results
+
       - name: Generate Requirements Report and Trace Matrix
         run: >
           dotnet reqstream
@@ -304,6 +312,21 @@ jobs:
           docs/tracematrix/tracematrix.html
           "docs/TestResults Trace Matrix.pdf"
 
+      - name: Generate CodeQL Quality Report with SarifMark
+        shell: pwsh
+        run: >
+          dotnet sarifmark
+          --sarif codeql-results/csharp.sarif
+          --report docs/quality/codeql-quality.md
+          --heading "TestResults CodeQL Analysis"
+          --report-depth 1
+
+      - name: Display CodeQL Quality Report
+        shell: pwsh
+        run: |
+          echo "=== CodeQL Quality Report ==="
+          Get-Content docs/quality/codeql-quality.md
+
       - name: Generate Code Quality Report with SonarMark
         shell: pwsh
         env:
@@ -317,6 +340,12 @@ jobs:
           --report docs/quality/sonar-quality.md
           --report-depth 1
 
+      - name: Display SonarCloud Quality Report
+        shell: pwsh
+        run: |
+          echo "=== SonarCloud Quality Report ==="
+          Get-Content docs/quality/sonar-quality.md
+
       - name: Generate Code Quality HTML with Pandoc
         run: >
           dotnet pandoc

diff --git a/.github/workflows/build_docs.yaml b/.github/workflows/build_docs.yaml
diff --git a/docs/quality/definition.yaml b/docs/quality/definition.yaml
@@ -5,6 +5,7 @@ resource-path:
 
 input-files:
   - docs/quality/introduction.md
+  - docs/quality/codeql-quality.md
   - docs/quality/sonar-quality.md
 
 template: template.html