Skip to content

Add codeql semantic analysis #45

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 19, 2021
Merged

Add codeql semantic analysis #45

merged 2 commits into from
Oct 19, 2021

Conversation

@jankapunkt
Copy link
Member

@jankapunkt jankapunkt commented Oct 15, 2021
edited
Loading

This adds a new CodeQl analysis to our CI for every pull request (https://github.com/github/codeql-action)

Additionally the analysis runs sheduled every night at 2am

The queries can be found here: https://github.com/github/codeql/tree/main/javascript/config/suites/javascript

@jankapunkt jankapunkt added enhancement ✨ New feature or request security ❗ Address a security issue labels Oct 15, 2021
This was linked to issues Oct 15, 2021
Security process #16
Closed
Release strategy #36
Closed
@jankapunkt
Copy link
Member Author

jankapunkt commented Oct 15, 2021

The detailed list of the analysis (checked known CWEs for example) can be viewed in the action's log (only members): https://github.com/node-oauth/node-oauth2-server/pull/45/checks?check_run_id=3903646993

@jankapunkt
Copy link
Member Author

jankapunkt commented Oct 15, 2021

@HappyZombies we can set the threshold for errors in the security and analysis tab in the settings: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository

However I don't have access to it. can you elevate my access to this specific tab?

@jankapunkt
Copy link
Member Author

jankapunkt commented Oct 15, 2021

Note, that "Code scanning results / CodeQL" will not be able before being merged. It's basically comparing the PR with the base branch and informs, how many vulnerabilities have been fixed or new introduced, compared to the base branch.

@jwerre
Copy link
Contributor

jwerre commented Oct 16, 2021

This was a really good idea @jankapunkt. I didn't even realize it existed so thanks for the head up!

@HappyZombies
Copy link
Member

HappyZombies commented Oct 19, 2021

@jankapunkt I totally missed your message in asking for more access 🤦 I went ahead and gave you admin.

@HappyZombies HappyZombies merged commit cfa907d into development Oct 19, 2021
@jwerre jwerre deleted the feature-ci-static-semantic-analysis branch November 21, 2021 14:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@HappyZombies HappyZombies HappyZombies approved these changes

@jwerre jwerre Awaiting requested review from jwerre

Assignees

No one assigned

Labels

enhancement ✨ New feature or request security ❗ Address a security issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Release strategy Security process

4 participants

@jankapunkt @jwerre @HappyZombies