Address CodeQL alerts SM05137 and SM02184 in connect flow#132
Merged
Conversation
Adds a Microsoft CodeQL inline suppression with justification on the DefaultAzureCredential fallback in the connect flow. This is an interactive developer CLI, not a hosted service: the credential is the last-resort fallback that adopts the developer's local identity, so there is no fixed service identity to pin to.
All emulator connections are routed through BuildEmulatorConnectionString, which appends DisableServerCertificateValidation=True. The SDK honors that connection-string flag, so the ServerCertificateCustomValidationCallback was redundant. Removing it resolves CodeQL SM02184 and the now-unused connectionString parameter on CreateClientOptions.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the Cosmos DB shell “connect” flow to address two CodeQL alerts by (1) removing redundant TLS certificate-validation bypass logic for emulator connections and (2) adding an inline suppression/justification for a DefaultAzureCredential fallback that is intentional for an interactive developer CLI.
Changes:
- Removes
ServerCertificateCustomValidationCallback = ... => truefor emulator connections and relies on the existingDisableServerCertificateValidation=Trueconnection-string flag. - Simplifies
CreateClientOptionsby removing the now-unusedconnectionStringparameter and updates its call sites. - Adds an inline CodeQL suppression comment for the
DefaultAzureCredentialfallback path (but the suppression syntax needs a small correction to be effective).
sevoku
approved these changes
Jun 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses two CodeQL security alerts on the connect flow in
ShellInterpreter.cs.SM05137 — DefaultAzureCredential (false positive in context)
Adds a Microsoft CodeQL inline suppression with justification on the
DefaultAzureCredentialfallback. This is an interactive developer CLI, not a hosted service: the credential is the last-resort fallback that adopts the developer's local identity (Azure CLI/azd, Visual Studio, env vars, or VM managed identity). No fixed service identity exists to pin to.SM02184 — Server certificate validation disabled (real cleanup)
Removes the redundant
ServerCertificateCustomValidationCallback = (cert, chain, errors) => trueinCreateClientOptions.All emulator connections are routed through
BuildEmulatorConnectionString, which appendsDisableServerCertificateValidation=Trueto the connection string. The SDK honors that flag, so cert validation is already skipped for the emulator without the callback. Token-auth paths are only reached for non-emulator endpoints, so the callback was never the sole mechanism on any path. Removing it also drops the now-unusedconnectionStringparameter onCreateClientOptions.Validation
dotnet build CosmosDBShell/CosmosDBShell.csproj→ 0 Warnings / 0 ErrorsCommits
b334a23Suppress CodeQL SM05137 on DefaultAzureCredential fallbackbac5492Remove redundant emulator cert-validation callback (SM02184)