dotnet · wiktork · Oct 22, 2025 · Oct 21, 2025
diff --git a/eng/release/DiagnosticsReleaseTool/Common/AzureBlobPublisher.cs b/eng/release/DiagnosticsReleaseTool/Common/AzureBlobPublisher.cs
@@ -44,10 +44,10 @@ private TokenCredential Credentials
                 if (_clientId == null)
                 {
                     // Local development scenario. Use the default credential.
-                    return new DefaultAzureCredential();
+                    return new DefaultAzureCredential(); // CodeQL [SM05137] This is not a security issue as this is for local development only. 
                 }
 
-                return new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = _clientId });
+                return new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = _clientId }); // CodeQL [SM05137] This is not a security issue since this is only used for pipeline builds.
             }
         }
 

@@ -394,7 +394,7 @@ private static TokenCredential CreateDefaultCredential(AzureBlobEgressProviderOp
                 credOptions.ManagedIdentityClientId = options.ManagedIdentityClientId;
             }
 
-            return new DefaultAzureCredential(credOptions);
+            return new DefaultAzureCredential(credOptions); // CodeQL [SM05137] Guidance here is to ensure that credential lookup is deterministic by using an environment variable. We accomplish this through settings and only including Managed Identity and Workload credentials, and do not want to introduce a breaking change.
         }
 
         private static DefaultAzureCredentialOptions GetDefaultCredentialOptions() =>