feat(security): add code-scanning with CodeQL #3229

jsjoeio · 2021-04-26T22:19:11Z

This PR adds code-scanning using CodeQL (by GitHub) to help automatically detect common vulnerability and coding errors.

Fixes #3176

codecov · 2021-04-26T22:32:33Z

Codecov Report

Merging #3229 (2bf0907) into main (01e001d) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #3229   +/-   ##
=======================================
  Coverage   46.90%   46.90%           
=======================================
  Files          23       23           
  Lines        1196     1196           
  Branches      237      237           
=======================================
  Hits          561      561           
  Misses        451      451           
  Partials      184      184

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 01e001d...2bf0907. Read the comment docs.

jawnsy

Nice! Excellent work Mr. Previte

.github/workflows/codeql-analysis.yml

jawnsy · 2021-04-27T21:58:59Z

.github/workflows/codeql-analysis.yml

+      #   make bootstrap
+      #   make release
+
+      - name: Perform CodeQL Analysis


How are we going to handle the existing findings, are we going to fix things first, or merge and then reduce them gradually?

Looks pretty useful though!

Also seems like it might be a good idea to ignore code that we don't control (e.g. lib/vscode) if we can configure things that way

Probably merge and reduce gradually. Seems like a solid approach.

Good idea on ignoring lib/vscode. I'll see if that's configurable

@jsjoeio Replying here so it's threaded

@jawnsy how did you know to go here for the Code scanning alerts?

I found it by clicking looking at the Actions result, then clicking "view all alerts" - super unintuitive lmao

I found this in the docs: Specifying Directories to Scan

It's unclear whether this needs to be in a custom codeql config file or if I can put it in the workflow file. I'm going to try adding to the workflow file.

Also opened follow-up issue: #3243

And...there's my answer! I'll do it the proper way instead

It worked! https://github.com/cdr/code-server/security/code-scanning?query=ref%3Arefs%2Fpull%2F3229%2Fmerge+tool%3ACodeQL

.github/workflows/codeql-analysis.yml

jsjoeio · 2021-04-27T22:08:58Z

P.S. - @jawnsy how did you know to go here for the Code scanning alerts?

My intuitive would have told me they show up here but that's not the case 🤷‍♂️

jsjoeio added the security Security related label Apr 26, 2021

jsjoeio added this to 🚧 In progress in Clean Up via automation Apr 26, 2021

jsjoeio self-assigned this Apr 26, 2021

jsjoeio force-pushed the jsjoeio/add-code-scanning branch 3 times, most recently from 24ff606 to 6e16ffe Compare April 26, 2021 22:29

jsjoeio marked this pull request as ready for review April 26, 2021 22:31

jsjoeio requested a review from a team as a code owner April 26, 2021 22:31

jsjoeio added this to the v3.9.4 milestone Apr 26, 2021

jsjoeio changed the title ~~security: add code-scanning with CodeQL~~ feat(security): add code-scanning with CodeQL Apr 27, 2021

jawnsy approved these changes Apr 27, 2021

View reviewed changes

jawnsy reviewed Apr 27, 2021

View reviewed changes

.github/workflows/codeql-analysis.yml Show resolved Hide resolved

jsjoeio force-pushed the jsjoeio/add-code-scanning branch from 6e16ffe to 0934acc Compare April 27, 2021 22:23

jsjoeio added 3 commits April 27, 2021 15:38

feat: add codeql-analysis.yml

3577985

chore: add codeql-action to dependabot config

e48de92

feat: add codeql-config file

2bf0907

jsjoeio force-pushed the jsjoeio/add-code-scanning branch from 2364f92 to 2bf0907 Compare April 27, 2021 22:38

jsjoeio added the merge when passing Merge the PR automatically once all status checks have passed label Apr 27, 2021

repo-ranger bot merged commit 9f7ceef into main Apr 27, 2021

Clean Up automation moved this from 🚧 In progress to ✅ Done Apr 27, 2021

repo-ranger bot deleted the jsjoeio/add-code-scanning branch April 27, 2021 22:55

jsjoeio added the chore Related to maintenance or clean up label May 14, 2021

jsjoeio mentioned this pull request May 14, 2021

[dev]: utilize GitHub security tools #2839

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(security): add code-scanning with CodeQL #3229

feat(security): add code-scanning with CodeQL #3229

jsjoeio commented Apr 26, 2021 •

edited

codecov bot commented Apr 26, 2021 •

edited

jawnsy left a comment

jawnsy Apr 27, 2021

jsjoeio Apr 27, 2021

jawnsy Apr 27, 2021

jsjoeio Apr 27, 2021

jsjoeio Apr 27, 2021

jsjoeio Apr 27, 2021

jsjoeio Apr 27, 2021

jsjoeio commented Apr 27, 2021 •

edited

feat(security): add code-scanning with CodeQL #3229

feat(security): add code-scanning with CodeQL #3229

Conversation

jsjoeio commented Apr 26, 2021 • edited

codecov bot commented Apr 26, 2021 • edited

Codecov Report

jawnsy left a comment

Choose a reason for hiding this comment

jawnsy Apr 27, 2021

Choose a reason for hiding this comment

jsjoeio Apr 27, 2021

Choose a reason for hiding this comment

jawnsy Apr 27, 2021

Choose a reason for hiding this comment

jsjoeio Apr 27, 2021

Choose a reason for hiding this comment

jsjoeio Apr 27, 2021

Choose a reason for hiding this comment

jsjoeio Apr 27, 2021

Choose a reason for hiding this comment

jsjoeio Apr 27, 2021

Choose a reason for hiding this comment

jsjoeio commented Apr 27, 2021 • edited

jsjoeio commented Apr 26, 2021 •

edited

codecov bot commented Apr 26, 2021 •

edited

jsjoeio commented Apr 27, 2021 •

edited