-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: add CodeQL analysis #14514
ci: add CodeQL analysis #14514
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice 💯, one quick question on report https://github.com/cilium/cilium/security/code-scanning?query=ref%3Arefs%2Fheads%2Fpr%2Ftwpayne%2Fcodeql-analysis, just curious who will check this report and take any action if required ? 🤔
Initially me and probably @sharlns 😄 We're both working for Isovalent and have an interest in Cilium's security. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 💯
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any reason why we don't enable it by default as a blocking requirement to merge PRs? How long does the codeql takes to run? It looked it was less than 3 seconds?
The scanner does occasionally have false positives (e.g. github/codeql-go#439) and not all the problems it identifies are genuine security problems so I think making it a blocking requirement would be too strict. |
Signed-off-by: Tom Payne <tom@isovalent.com>
cacbbdf
to
6647e70
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks.
I think this can be merged now. Many of the identified problems have been fixed in other PRs which can be merged one by one. |
On the recent introduction of CodeQL analysis (PR cilium#14514), the cron value has been entered wrongly. This PR fix the values of the hours/minutes. Fixes: cilium#14567 Signed-off-by: Youssef Azrak <yazrak.tech@gmail.com>
push: | ||
branches: | ||
- master | ||
- v1.9 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
late to the party, but maybe v*.*
here? seems pretty easy to forget to update this file after each release.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚢
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#16251 🚢
also removed the periodic trigger. let me know if we still want to keep it.
This PR enables CodeQL analysis for the project.
cc @sharlns