Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enabling MetaMask security code scanner #24

Merged
merged 3 commits into from
Mar 8, 2024
Merged

Enabling MetaMask security code scanner #24

merged 3 commits into from
Mar 8, 2024

Conversation

metamaskbot
Copy link
Collaborator

Automated PR

This is automated Pull Request by Application Security team.
Please reach out to @mm-application-security slack if you have any feedback or comments.

Required Action

Prior to merging this pull request, please ensure the following has been completed:

  • The lines specifying branches correctly specifies this repository's default branch (usually main).
  • Any paths you would like to ignore have been added to the paths_ignored configuration option (see setup)
  • Any existing CodeQL configuration has been disabled.

What is the Security Code Scanner?

This pull request enables the MetaMask Security Code Scanner GitHub Action. This action runs on each pull request, and will flag potential vulnerabilities as a review comment. It will also scan this repository's default branch, and log any findings in this repository's Code Scanning Alerts Tab.

Screenshot 2024-02-12 at 9 19 05 PM

The action itself runs various static analysis engines behind the scenes. Currently, it is only running GitHub's CodeQL engine. For this reason, we recommend disabling any existing CodeQL configuration your repository may have.

How do I interact with the tool?

Every finding raised by the Security Code Scanner will present context behind the potential vulnerability identified, and allow the developer to fix, or dismiss it.

The finding will automatically be dismissed by pushing a commit that fixes the identified issue, or by manually dismissing the alert using the button in GitHub's UI. If dismissing an alert manually, please add any additional context surrounding the reason for dismissal, as this informs our decision to disable, or improve any poor performing rules.

Screenshot 2024-02-12 at 8 41 46 PM

For more configuration options, please review the tool's README.
For any additional questions, please reach out to @mm-application-security slack.

@metamaskbot metamaskbot requested a review from a team as a code owner February 27, 2024 18:13
legobeat
legobeat reviewed Mar 5, 2024
View reviewed changes
.github/workflows/security-code-scanner.yml
.storybook/
'**/__snapshots__/'
'**/*.snap'
'**/*.stories.js'
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think these ignore lines are relevant for this repo?

witmicko
witmicko approved these changes Mar 8, 2024
View reviewed changes
Copy link

@witmicko witmicko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated approval

@witmicko witmicko merged commit f3e1b09 into main Mar 8, 2024
13 checks passed
@witmicko witmicko deleted the enable-security-code-scanner branch March 8, 2024 10:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@legobeat legobeat legobeat left review comments

@witmicko witmicko witmicko approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@metamaskbot @witmicko @legobeat