-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setup CodeQL SAST #146
Setup CodeQL SAST #146
Conversation
|
TBDocs Report ✅ No errors or warnings @tbdex/protocol
@tbdex/http-client
@tbdex/http-server
TBDocs Report Updated at 2024-01-19T22:32:58Z |
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
pull_request: | ||
branches: [ "main" ] | ||
schedule: | ||
- cron: '33 1 * * 5' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a reason why the cron schedule is different here compared to the one in your tbdex-kt PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how come it is on a schedule at all vs pull requests?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a reason why the cron schedule is different here compared to the one in your tbdex-kt PR?
It's randomly generated by GH when Enabling the CodeQL scan. I don't think the schedule time actually matter as long as we have the scan being executed weekly. (I'm going to move forward with the merge but we can revisit the weekly scanning time later if we want to have it running at the same time for all our repos).
how come it is on a schedule at all vs pull requests?
It runs both on PRs, main pushes AND on a schedule. The reason for running on a schedule is that new vulns are discovered every day. So, even after merging something, we need to be scanning the codebase in a consistent basis.
Setup Static Analysis in the repo, which already being helpful raised 3 warnings:
Details can be found here:
https://github.com/TBD54566975/tbdex-js/security/code-scanning?query=pr%3A146+is%3Aopen
https://github.com/TBD54566975/tbdex-js/security/code-scanning/10
https://github.com/TBD54566975/tbdex-js/security/code-scanning/9
https://github.com/TBD54566975/tbdex-js/security/code-scanning/11