Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Enable codeql action #2982

Merged
merged 2 commits into from
Apr 29, 2022
Merged

chore: Enable codeql action #2982

merged 2 commits into from
Apr 29, 2022

Conversation

naveensrinivasan
Copy link
Contributor

This action runs GitHub's industry-leading semantic code analysis engine, CodeQL, against a repository's source code to find security vulnerabilities.

https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql

https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast

@mmorel-35
Copy link
Contributor

Hi @naveensrinivasan,
Thank you for your proposition.
I don't understand why the workflow integrate an analysis of python language. Can you explain?

Yash-Singh1
Yash-Singh1 requested changes Apr 28, 2022
View reviewed changes
Copy link
Member

@Yash-Singh1 Yash-Singh1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @naveensrinivasan, thanks for the contribution! I left a few comments below.

.github/workflows/codeql.yml Outdated Show resolved Hide resolved
.github/workflows/codeql.yml Outdated Show resolved Hide resolved
@Yash-Singh1
Copy link
Member

Yash-Singh1 commented Apr 28, 2022
edited
Loading

Hi @naveensrinivasan,
Thank you for your proposition.
I don't understand why the workflow integrate an analysis of python language. Can you explain?

I think that python is by default enabled on codeql in the template.

@mmorel-35
Copy link
Contributor

According to the action.ym' there is no default language specified for the action

@Yash-Singh1
Copy link
Member

Yash-Singh1 commented Apr 28, 2022
edited
Loading

I meant it is specified by default in the template, sorry for the confusion.

@naveensrinivasan
Copy link
Contributor Author

Hi @naveensrinivasan,
Thank you for your proposition.
I don't understand why the workflow integrate an analysis of python language. Can you explain?

I think that python is by default enabled on codeql in the template.

This should be good now. Let me know! Thanks

@naveensrinivasan
Copy link
Contributor Author

Already found issues!

@Yash-Singh1
Copy link
Member

Hey @naveensrinivasan, thanks for the quick fix! This is already showing some very helpful vulnerabilities. Could you also disable the cypress and dist folders as those are our builds and tests?

@naveensrinivasan
Copy link
Contributor Author

Hey @naveensrinivasan, thanks for the quick fix! This is already showing some very helpful vulnerabilities. Could you also disable the cypress and dist folders as those are our builds and tests?

TBH I don't know if it possible. The way to address that is in the security setting to ignore those alerts.

@Yash-Singh1
Copy link
Member

Hey @naveensrinivasan, thanks for the quick fix! This is already showing some very helpful vulnerabilities. Could you also disable the cypress and dist folders as those are our builds and tests?

TBH I don't know if it possible. The way to address that is in the security setting to ignore those alerts.

You have to specify paths-ignore in the CodeQL config:

https://github.com/Yash-Singh1/zoom.js/blob/10110b78283a9fce247aadc9469dd9cf3c096226/.github/codeql/codeql-config.yml
https://github.com/Yash-Singh1/zoom.js/blob/master/.github/workflows/codeql-analysis.yml#L42
https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-a-custom-configuration-file
https://github.com/github/codeql-action/blob/main/.github/codeql/codeql-config.yml#L12

@naveensrinivasan
Copy link
Contributor Author

naveensrinivasan commented Apr 29, 2022
edited
Loading

Hey @naveensrinivasan, thanks for the quick fix! This is already showing some very helpful vulnerabilities. Could you also disable the cypress and dist folders as those are our builds and tests?

TBH I don't know if it possible. The way to address that is in the security setting to ignore those alerts.

You have to specify paths-ignore in the CodeQL config:

https://github.com/Yash-Singh1/zoom.js/blob/10110b78283a9fce247aadc9469dd9cf3c096226/.github/codeql/codeql-config.yml https://github.com/Yash-Singh1/zoom.js/blob/master/.github/workflows/codeql-analysis.yml#L42 https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-a-custom-configuration-file https://github.com/github/codeql-action/blob/main/.github/codeql/codeql-config.yml#L12

@Yash-Singh1 Thanks, I wasn't aware of that option. I have updated it.

@naveensrinivasan
Update codeql.yml
0b461b5 
Signed-off-by: naveensrinivasan <172697 [email protected]>
@Yash-Singh1 Yash-Singh1 merged commit a62d53e into mermaid-js:develop Apr 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Yash-Singh1 Yash-Singh1 Yash-Singh1 approved these changes

@mmorel-35 mmorel-35 mmorel-35 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@naveensrinivasan @mmorel-35 @Yash-Singh1