As part of maintaining CodeQL integration, what should be reviewed periodically?

Suppressions are the deliberate exceptions you’ve allowed in CodeQL results. Because the project, dependencies, and threat landscape evolve, those suppressions can become outdated or inappropriate. Reviewing them periodically ensures each suppression still reflects a legitimate exception, is properly scoped, and has a clear justification. You verify whether the underlying finding still exists, whether it’s a true or false positive, and whether the suppression can be narrowed or removed. Establish a cadence (for example, quarterly or with major releases) and document the rationale so future maintainers understand why each suppression remains. This keeps the CodeQL integration reliable and security-conscious over time. While updating secret scanning patterns, SARIF export formats, or the workflow’s Python version can be important for other reasons, they don’t address the ongoing accuracy and governance of findings in the same targeted way as reviewing suppressions.