-
Notifications
You must be signed in to change notification settings - Fork 903
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CodeQL scanning #4651
Add CodeQL scanning #4651
Conversation
@madsnedergaard since this is the first PR with CodeQL enabled it will report all existing vulnerabilities here, just so you know. If there is anything in the CI structure you have questions about or want changed just let me know. EDIT: |
This is great 👍 |
Hopefully it will help us fix existing ones and prevent any known vulnerabilities from being added to the codebase. We will probably have to mark some of the results from the |
Look like we have our works cut out for us when it comes to cleaning up the codebase... |
This is super cool! 💪 Regarding the ESLint one, it seems to ignore |
I was thinking that it might be possible to set up the rules to be more conditional so the console errors don't show up in our helper tools for example but I haven't looked into it yet. As for the python version I'm not even sure it uses In either case if I understood the documentation correctly it should just error when new vulnerabilities are introduced by a PR. That means we might be able to merge this anyway and just use it to prevent further security issues. (ESLint is just code quality rather than code security). |
@madsnedergaard we can probably add ESLint overrides for some of the rules to avoid false positives (like the translation helpers and such) like this: {
"rules": {
"quotes": ["error", "double"]
},
"overrides": [
{
"files": ["bin/*.js", "lib/*.js"],
"excludedFiles": "*.test.js",
"rules": {
"quotes": ["error", "single"]
}
}
]
} To facilitate that it might be easier to move them all to a helper folder or rename them all to a consistent name pattern (like As for the python dependencies and PS: I turned this into a draft in the meantime. EDIT: Here is a link that describes the whole CodeQL scanning process some more: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#defining-the-severities-causing-pull-request-check-failure |
Ah okay, thanks for investigating! Re: ESLint I don't think we want to add too setup around problems here, I just hoped it would respect the disable-comment in a file. But if that's not possible, then I'm fine with just keeping it like it is now :) Re: Python dependencies Good to know, in that case I think it's also fine to keep them like they are for now - hopefully it won't be too distracting, otherwise we can take it from there :) |
schedule: | ||
- cron: '0 7 * * 1' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How does this work, will it still run the job on each PR update or only on the weekly schedule now? 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It will run on all PR, and push events (like if you go crazy and decide to push to master 😅) via the workflow call + on a weekly schedule.
The weekly schedule is recommended by CodeQL as there could be longs periods without pushes or PRs to master and keeping it on a schedule will ensure it identifies new issues (when the CodeQL rules update) even if there is no activity to master.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great, makes sense! 👏
Let's see how this works out, merging it now. |
Adds CodeQL scanning action to help find any potential security issues in the code.