Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Implement security scans using CodeQL #2793

Merged
merged 8 commits into from
Jan 9, 2024
Merged

feat: Implement security scans using CodeQL #2793

merged 8 commits into from
Jan 9, 2024

Conversation

boc-the-git
Copy link
Collaborator

@boc-the-git boc-the-git commented Dec 6, 2023
edited

What type of PR is this?

  • cleanup
  • feature

What this PR does / why we need it:

Adds code security scanning, both in terms of regular scans against mealie-next, and on PRs.
For PRs, it doesn't reject them when they have the same issues as mealie-next, only new issues introduced on that PR.

Initially this is going to identify a number of issues (10 it looks like) that we'll need to progressively work through and either resolve or choose to ignore. We get our main benefit from this moving forward.

Note the initial CodeQL implementation is effectively the default supplied by github - I haven't tried to do anything custom/wacky.

Which issue(s) this PR fixes:

None (that I know of).

Testing

I initially merged the CodeQL change to my mealie-next and saw it identify 10 issues. I then made the change to scan PRs and threw in an intentionally "bad" commit to see that it failed the test and rejected the PR, as shown here:
image

@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@michael-genson
Copy link
Collaborator

LGTM, though I wonder how it compares to Trivy

@boc-the-git
Copy link
Collaborator Author

Good point @michael-genson, I was overlooking Trivy. I added this because GitHub doesn't consider us to have any security scanning on the repo (see the security tab)

I don't know if there's a minor modification to Trivy that could achieve that, or maybe GitHub don't consider it good enough, or something else. Factually which is better, I'm not qualified to say at this time (will do some reading).

@boc-the-git
Copy link
Collaborator Author

So the key difference as I can see it, is CodeQL runs an analysis on the actual code base, where Trivy builds the container and then scans within the container.
Coming at it from two different angles.

@hay-kot hay-kot enabled auto-merge (squash) January 9, 2024 21:17
@hay-kot hay-kot merged commit 2bb2106 into mealie-recipes:mealie-next Jan 9, 2024
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hay-kot hay-kot hay-kot approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@boc-the-git @michael-genson @hay-kot