feat: add code scanning coverage report and alert dismissal scripts

[joshjohanning]

This pull request introduces two new scripts to the scripts directory: code-scanning-coverage-report and dismiss-code-scanning-alerts. Both tools are designed to help organizations manage and improve their code scanning posture across GitHub repositories. The changes include documentation, package manifests, and updates to the main README.md to reference these new scripts.

---

You would run the script like this:

export GITHUB_TOKEN=ghp_aaaaa
node code-scanning-coverage-report.js my-org --output report.csv

Recommended to use GitHub App instead, and use relevant environment variables (GitHub Apps have a higher rate limit)

Variable	Description
GITHUB_APP_ID	GitHub App ID
GITHUB_APP_PRIVATE_KEY_PATH	Path to GitHub App private key file (.pem)
GITHUB_APP_INSTALLATION_ID	GitHub App installation ID for the organization
GITHUB_API_URL	API endpoint (defaults to https://api.github.com)

---

Example results:

results-stale.csv

Repository,Default Branch,Last Updated,Archived,Languages,CodeQL Enabled,Last Default Branch Scan Date,Scanned Languages,Unscanned CodeQL Languages,Open Alerts,Analysis Errors,Analysis Warnings
migrations-1,main,2025-08-03,No,Ruby;JavaScript;TypeScript;Shell;Dockerfile,Yes,2025-04-07,javascript-typescript;ruby;actions,None,11,"None","None"

results-missing-languages.csv:

Repository,Default Branch,Last Updated,Archived,Languages,CodeQL Enabled,Last Default Branch Scan Date,Scanned Languages,Unscanned CodeQL Languages,Open Alerts,Analysis Errors,Analysis Warnings
joshjohanning.github.io-copy,main,2025-11-10,No,HTML;SCSS;JavaScript;Shell;Ruby,Yes,2026-01-01,actions,javascript-typescript;ruby,0,"None","None"
hello-insecure-world,main,2025-11-19,No,TypeScript;CSS;HTML,Yes,2025-11-19,actions,javascript-typescript,8,"None","None"
hello-insecure-world-2,main,2025-11-19,No,TypeScript;CSS;HTML,Yes,2025-11-19,actions,javascript-typescript,8,"None","None"

results-disabled.csv:

Repository,Default Branch,Last Updated,Archived,Languages,CodeQL Enabled,Last Default Branch Scan Date,Scanned Languages,Unscanned CodeQL Languages,Open Alerts,Analysis Errors,Analysis Warnings
example-gh-maven,master,2022-01-09,No,Java,No Scans,Never,,java-kotlin,N/A,"None","None"
composite-action-sample,main,2022-09-23,No,,Disabled,Never,,N/A,N/A,"None","None"
composite-sample-1,main,2022-01-10,No,Shell,Disabled,Never,,None,N/A,"None","None"
composite-caller-1,main,2023-12-16,No,,Disabled,Never,,N/A,N/A,"None","None"

results-analysis-issues.csv:

Repository,Default Branch,Last Updated,Archived,Languages,CodeQL Enabled,Last Default Branch Scan Date,Scanned Languages,Unscanned CodeQL Languages,Open Alerts,Analysis Errors,Analysis Warnings
backup-utils,master,2023-06-07,No,Shell;Ruby;Makefile;Dockerfile,Yes,2024-12-18,ruby,None,N/A,"unsuccessful execution, exit code: 0, description:  ","None"
failed-ghas-tool,main,2024-12-17,No,,Yes,2025-02-16,go;csharp,None,N/A,"unsuccessful execution, exit code: 0, description:  ","None"

[github-actions]

📋 Lint Results

⚡ ./gh-cli scripts

✅ No issues found.

🔧 ./scripts scripts

✅ No issues found.

---

Lint results updated at Tue Jan 13 17:11:34 UTC 2026

[Copilot]

Pull request overview

This pull request introduces a comprehensive code scanning coverage report tool for GitHub organizations. The implementation includes both a Node.js script (in scripts/) and a bash script (in gh-cli/), along with documentation for both.

Key changes:

• Adds a parallelized Node.js script for generating detailed CodeQL coverage reports with sub-report generation capabilities
• Adds a bash alternative using the gh CLI for users without Node.js
• Includes comprehensive documentation with usage examples, options, and output descriptions

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 11 comments.

Show a summary per file

File	Description
scripts/get-code-scanning-coverage-report/package.json	Defines Node.js package metadata and dependencies (octokit v4)
scripts/get-code-scanning-coverage-report/package-lock.json	Lock file for npm dependencies
scripts/get-code-scanning-coverage-report/get-code-scanning-coverage-report.js	Main Node.js implementation with parallel API calls and CSV generation
scripts/get-code-scanning-coverage-report/README.md	Detailed documentation for the Node.js script with usage examples
scripts/README.md	Adds entry for the new script to the scripts directory index
gh-cli/get-code-scanning-coverage-report.sh	Bash implementation using gh CLI for users without Node.js
gh-cli/README.md	Adds entry for the bash script to the gh-cli directory index

Files not reviewed (1)

• scripts/get-code-scanning-coverage-report/package-lock.json: Language not supported

[Copilot]

Pull request overview

Copilot reviewed 5 out of 6 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 11 changed files in this pull request and generated 10 comments.

Comments suppressed due to low confidence (1)

scripts/code-scanning-coverage-report/code-scanning-coverage-report.js:940

• The value assigned to rateLimitOctokit here is unused.

    rateLimitOctokit = createTokenOctokit();

[Copilot]

Pull request overview

Copilot reviewed 9 out of 11 changed files in this pull request and generated 2 comments.