-
-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature] Adds CodeQL to the SDLC process #10843
Conversation
💖 Thanks for this pull request! 💖 We use semantic commit messages to streamline the release process and easily generate changelogs between versions. Before your pull request can be merged, you should update your pull request title to start with a semantic prefix if it doesn't have one already. Examples of commit messages with semantic prefixes:
Things that will help get your PR across the finish line:
We get a lot of pull requests on this repo, so please be patient and we will get back to you as soon as we can. |
As I mentioned elsewhere, we already do a lot of these scans inside and outside of Github. I guess I'll merge this for now, but it doesn't seem needed, since we are already using code quality tooling within the SDLC. |
Congrats on merging your first pull request! 🎉🎉🎉 |
Description
This Pull Request adds the CodeQL to the SDLC (as a GitHub Action) of the Snipe-IT project. It helps to discover vulnerabilities in the JavaScript codebase. Also, to show its potential - the pull request contains a small fix that was identified by the CodeQL (ReDoS vulnerability) in the Chart.JS library. The current configuration is to perform analysis on the master branch upon a push. The results are presented in the GitHub Advanced Security code scanning dashboard.
Type of change
Please delete options that are not relevant.
How Has This Been Tested?
It was tested on the Snipe-IT's fork (on the master branch).
Checklist: