-
-
Notifications
You must be signed in to change notification settings - Fork 597
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Implement security scans using CodeQL #2793
feat: Implement security scans using CodeQL #2793
Conversation
Create codeql.yml
This reverts commit 44d180b. The CodeQL file already responds to pull requests.
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
LGTM, though I wonder how it compares to Trivy |
Good point @michael-genson, I was overlooking Trivy. I added this because GitHub doesn't consider us to have any security scanning on the repo (see the security tab) I don't know if there's a minor modification to Trivy that could achieve that, or maybe GitHub don't consider it good enough, or something else. Factually which is better, I'm not qualified to say at this time (will do some reading). |
So the key difference as I can see it, is CodeQL runs an analysis on the actual code base, where Trivy builds the container and then scans within the container. |
What type of PR is this?
What this PR does / why we need it:
Adds code security scanning, both in terms of regular scans against mealie-next, and on PRs.
For PRs, it doesn't reject them when they have the same issues as mealie-next, only new issues introduced on that PR.
Initially this is going to identify a number of issues (10 it looks like) that we'll need to progressively work through and either resolve or choose to ignore. We get our main benefit from this moving forward.
Note the initial CodeQL implementation is effectively the default supplied by github - I haven't tried to do anything custom/wacky.
Which issue(s) this PR fixes:
None (that I know of).
Testing
I initially merged the CodeQL change to my mealie-next and saw it identify 10 issues. I then made the change to scan PRs and threw in an intentionally "bad" commit to see that it failed the test and rejected the PR, as shown here: