Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: add CodeQL security scanning #3332

Merged
merged 2 commits into from
Jun 9, 2020
Merged

ci: add CodeQL security scanning #3332

merged 2 commits into from
Jun 9, 2020

Conversation

jhutchings1
Copy link
Contributor

@jhutchings1 jhutchings1 commented Jun 4, 2020
edited by a-b-r-o-w-n
Loading

Hi, I'm a PM on the GitHub security team. This repository is eligible to try the new GitHub Advanced Security code scanning beta.

Code scanning runs a static analysis tool called CodeQL which scans your code at build time to find any potential security issues. We've tuned the set of queries to be only the most severe, most precise issues. We'll show alerts in the security tab, and we'll show alerts for any net new vulnerabilities on pull requests as well. We've tried to make this super developer friendly, but we'd love your feedback as we work through the beta.

If you're interested in trying it out, you can merge this pull request to set up the Actions workflow. You can also get this set up yourself in any additional repositories in this organization by following these instructions

@coveralls
Copy link

coveralls commented Jun 5, 2020
edited
Loading

Coverage Status

Coverage remained the same at 43.084% when pulling d14fb6d on jhutchings1:codeql into b7fd516 on microsoft:master.

@jhutchings1 jhutchings1 marked this pull request as ready for review June 5, 2020 06:00
@a-b-r-o-w-n
Copy link
Contributor

@jhutchings1 thanks for the PR! Is this something that will be able to replace the LGTM analysis that we are currently doing?

@a-b-r-o-w-n a-b-r-o-w-n self-assigned this Jun 8, 2020
@jhutchings1
Copy link
Contributor Author

@a-b-r-o-w-n Yes, you could move from LGTM to code scanning. I'll note that we use a more restrictive set of queries by default, but you can get the same ones LGTM uses by adding the security-and-quality pack into the configuration.

@a-b-r-o-w-n
Copy link
Contributor

@jhutchings1 excellent. I'll go ahead and merge this and let the two co-exist for a while.

@a-b-r-o-w-n a-b-r-o-w-n changed the title Add CodeQL security scanning security: add CodeQL security scanning Jun 9, 2020
@a-b-r-o-w-n a-b-r-o-w-n changed the title security: add CodeQL security scanning ci: add CodeQL security scanning Jun 9, 2020
@a-b-r-o-w-n a-b-r-o-w-n added the Approved to merge approved, waiting to be merged label Jun 9, 2020
@a-b-r-o-w-n a-b-r-o-w-n merged commit 40a0f97 into microsoft:master Jun 9, 2020
@cwhitten cwhitten mentioned this pull request Jul 8, 2020
Merged
lei9444 pushed a commit to lei9444/BotFramework-Composer-1 that referenced this pull request Jun 15, 2021
@jhutchings1 @a-b-r-o-w-n
security: add CodeQL security scanning (microsoft#3332)
4844975 
Co-authored-by: Andy Brown <asbrown002@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@a-b-r-o-w-n a-b-r-o-w-n a-b-r-o-w-n approved these changes

@boydc2014 boydc2014 Awaiting requested review from boydc2014 boydc2014 is a code owner

@cwhitten cwhitten Awaiting requested review from cwhitten cwhitten is a code owner

Assignees

@a-b-r-o-w-n a-b-r-o-w-n

Labels
Approved to merge approved, waiting to be merged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jhutchings1 @coveralls @a-b-r-o-w-n