Include CodeQL scan in the commit checks#608
Conversation
|
Interesting, let's see if there are any opinions or concerns about using this. |
Looks like no :) |
|
What problem does this code solve? Risks Changes to the API? Will this require a new release? Should the documentation be updated? Does it break the unit tests? Was any code refactored in this commit? Review status |
|
Starting 3 day comment window |
|
🙄 |
|
@javadev Thanks for the reminder. Recently we added fuzz-testing (#641) and I started getting spammed with emails that were difficult to track down and take action on. That made me less enthusiastic about adding tooling that might make check-ins more difficult. If someone has time to clone this project, set up CodeQL, and preview what kind of problems are already in the code, that could help. |
|
@stleary All alerts should be visible in the PR check "Code scanning results / CodeQL" but looks like the results already expired (the run was done in June 2021). Could you please rerun workflows on this PR? I'll have a look at the alerts. |
|
@artem-smotrakov Thanks for the reminder. I did not see any problems with the checks. |
3 participants
GitHub now offers code scanning that is based on CodeQL (the same engine that is used in LGTM.com). Shortly, that's a static analysis tool that is able to catch various issues including security ones. Once enabled for pull requests, it would help with catching issues earlier.
The scan may be run via GitHub Actions for pull requests. Or, LGTM checks may be added, the instructions are here.
How about enabling the scans for JSON-Java? The proposed update creates a GitHub workflow that runs CodeQL scans for pull requests and the master branch. There results will be available:
P.S. The file was generated by GitHub, I just disabled autobuild and added another build command. I can remove all the comments if necessary.