New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable security scanning of PR's (WIP, hold for now...) #72
Conversation
Simple change to hopefully ensure we're doing the right things...
For simplicity/consistent scanning...
Nice initiative! I haven't used these before, maybe you could explain a bit, when you fell that it's ready for talking about? |
It's just static code analysis at build time, see https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning In theory it should result in a failed CI build if it finds insecure coding practises, but I need to add a positive to check that. The results can also be viewed in the security menu above ( |
I generally enable the 'dependabot' in my repos as well, it will alert you when there's a security update for one of your nuget dependencies, and optionally raise a PR that updates the dependency for you... I don't believe I have permission to configure that on your repo though. |
Btw, @wokket - I've enabled the dependabot for github actions and nuget packages. It seems to be just a file now (don't know what it was earlier): https://github.com/erikbra/grate/blob/main/.github/dependabot.yml |
Just a quick update on this one, something has moved with the pre-release .Net6 so the 'autobuild' line now fails in my fork (https://github.com/wokket/grate/tree/security/code-scanning)... I vote we still hold off here until the RC world cleans up a bit. |
Looks like the security build step is using .NET core 3.1:
It seems to be running on mono/.net full framework: https://github.com/wokket/grate/runs/3910208595?check_suite_focus=true#step:4:1230 Or, maybe the problem is with the SDKs that are installed: https://github.com/wokket/grate/runs/3910208595?check_suite_focus=true#step:4:45
No .net 6. We can hold off until it goes GA, no probs, it's live in less than a month: https://www.dotnetconf.net/ |
Unfortunately that doesn't explain why it used to build, per the green ticks all through this PR 🤣 Edit: actually, maybe it never ran? I should know better than to try and review this stuff on my phone.... Either way I agree, housing off until we have an rtm release for this isn't the end of the world |
I think I'll just merge this one, and we can work more on polishing it later :) |
Simple change to hopefully ensure we're doing the right things...
Having got a first run it takes a few minutes, and is currently reporting no issues 👍
TODO: