Add CodeQL config to exclude .vscode-test/ from analysis (#5456)

TravisEz13 · Copilot · web-flow · commit d7d8f0188c4d · 2026-04-08T11:31:08.000-07:00
The .vscode-test/ directory is populated at CI test runtime by the
vscode-test npm package, which downloads a VS Code binary to run
integration tests. This directory is already in .gitignore and
contains third-party VS Code/extension code (not PowerShell source).

S360/CodeQL was flagging CodeQL.SM04514 'Weak hashes' in:
  .vscode-test/.../ms-vscode.js-debug/src/bootloader.js

That file belongs to the VS Code JavaScript Debugger extension
(ms-vscode.js-debug), owned by the VS Code team. Adding a CodeQL
paths-ignore config prevents the scanner from analyzing runtime
artifacts that are outside PowerShell's ownership and control.

Resolves: ADO #34872363

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
@@ -0,0 +1,7 @@
+# CodeQL analysis configuration for vscode-powershell.
+# Excludes runtime-downloaded artifacts that are not part of the repository source.
+paths-ignore:
+  - .vscode-test/ # Downloaded VS Code binaries for integration testing (in .gitignore)
+  - node_modules/
+  - out/
+  - dist/
