Add DevSkim scanning #778

anjbur · 2022-04-22T19:47:45Z

Adds a new GitHub action to run the Microsoft DevSkim tool. This will integrate with the Security Issues view and scan PRs for new potential issues.

tcNickolas · 2022-04-22T21:40:16Z

@anjbur Can you clarify what kind of issues are going to be detected and reported, and how is this going to look - is this an extra CI build job that will fail if the PR introduces new issues?

anjbur · 2022-04-22T22:45:27Z

@tcNickolas It's an additional compliance tool to catch any potential security alerts. It runs a static code analysis and will create a failing PR check if any new issues are introduced by a PR. You can see the added CI checks on this PR: one for the code action to run (DevSkim / DevSkim (pull_request)) and one with the results (Code scanning results / devskim). Any alerts (against main or a PR) are also visible though the Code Scanning Alerts section under the Security tab!

tcNickolas

Looks good - I see the two new checks on the pull request passing so we're in a good place to start using them.

anjbur and others added 2 commits April 22, 2022 12:47

Add DevSkim scanning

74e689f

resolve alerts

276bfc2

anjbur requested review from msoeken and tcNickolas April 22, 2022 20:45

tcNickolas approved these changes Apr 22, 2022

View reviewed changes

tcNickolas merged commit bf09e48 into main Apr 22, 2022

tcNickolas deleted the anburton/add-devskim branch April 22, 2022 23:47

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add DevSkim scanning #778

Add DevSkim scanning #778

anjbur commented Apr 22, 2022

tcNickolas commented Apr 22, 2022

anjbur commented Apr 22, 2022

tcNickolas left a comment

Add DevSkim scanning #778

Add DevSkim scanning #778

Conversation

anjbur commented Apr 22, 2022

tcNickolas commented Apr 22, 2022

anjbur commented Apr 22, 2022

tcNickolas left a comment

Choose a reason for hiding this comment