chore: reduce DevSkim false positives and fix Azure SQL bulkcopy test

bewithgaurav · bewithgaurav · commit db5d72bc8745 · 2026-04-15T07:05:54.000Z
- Exclude tests/, **/test_*.py, and benchmarks/ from DevSkim scanning
  (localhost in test connection strings is not debug code)
- Suppress DS176209 (TODO comments) — informational, not a security concern
- DS137138 (localhost) left enabled — path exclusions handle test files,
  keeps coverage for accidental localhost in production code
- Fix test_bulkcopy_without_database_parameter: remove USE statement
  which is not supported on Azure SQL Database, use fully qualified
  table names with the default database instead
diff --git a/.github/workflows/devskim.yml b/.github/workflows/devskim.yml
@@ -27,6 +27,10 @@ jobs:
 
       - name: Run DevSkim scanner
         uses: microsoft/DevSkim-Action@v1
+        with:
+          ignore_globs: "tests/**,**/test_*.py,benchmarks/**"
+          # DS176209: TODO comments — not a security concern
+          ignore_rules_list: "DS176209"
 
       - name: Upload DevSkim scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
diff --git a/tests/test_019_bulkcopy.py b/tests/test_019_bulkcopy.py
@@ -119,9 +119,10 @@ def test_bulkcopy_without_database_parameter(conn_str):
         current_db = cursor.fetchone()[0]
         assert current_db is not None, "Should be connected to a database"
 
-        # If original database was specified, switch to it to ensure we have permissions
-        if original_database:
-            cursor.execute(f"USE [{original_database}]")
+        # Use the original database or the default one for fully qualified names.
+        # We do NOT issue a USE statement because Azure SQL Database does not
+        # support switching databases on an existing connection.
+        effective_database = original_database if original_database else current_db
 
         # Create test table in the current database
         table_name = "mssql_python_bulkcopy_no_db_test"
@@ -138,10 +139,7 @@ def test_bulkcopy_without_database_parameter(conn_str):
 
         # Perform bulkcopy - this should NOT raise ValueError about missing DATABASE
         # Note: bulkcopy creates its own connection, so we need to use fully qualified table name
-        # if we had a database in the original connection string
-        bulkcopy_table_name = (
-            f"[{original_database}].[dbo].{table_name}" if original_database else table_name
-        )
+        bulkcopy_table_name = f"[{effective_database}].[dbo].{table_name}"
         result = cursor.bulkcopy(bulkcopy_table_name, data, timeout=60)
 
         # Verify result
