ci: add CodeQL code scanning (C#)

[v1k70rk4]

CodeQL code scanning (C#)

The one remaining layer: code-level SAST (everything else so far covers dependencies / supply chain).

• .github/workflows/codeql.yml — CodeQL analysis of the C# code on push/PR to master and weekly.
• build-mode: none — analyzes sources directly, runs on ubuntu with no Windows-build infra (fast). Can switch to a built mode on windows-latest later for more precision.
• Actions SHA-pinned + persist-credentials: false, matching the repo's hardening.
• Results land in Security → Code scanning.

Expect some findings to triage — likely around the file service's path handling and the tunnel/SSH argument construction, exactly the surface taint analysis is good at. We review them; nothing auto-applies.

🤖 Generated with Claude Code

[coderabbitai]

Warning

Review limit reached

@v1k70rk4, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 18 minutes and 42 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c45badfb-6204-4a32-826c-997df01ed41b

📥 Commits

Reviewing files that changed from the base of the PR and between ae06618 and c54d361.

📒 Files selected for processing (1)

• .github/workflows/codeql.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/codeql

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.