Skip to content

Add CodeQL security scanning #99411

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 11, 2020
Merged

Add CodeQL security scanning #99411

merged 2 commits into from
Jun 11, 2020

Conversation

jhutchings1
Copy link
Contributor

Hi, I'm a PM on the GitHub security team. This repository is eligible to try the new GitHub Advanced Security code scanning beta.

Code scanning runs a static analysis tool called CodeQL which scans your code at build time to find any potential security issues. We've tuned the set of queries to be only the most severe, most precise issues. We'll show alerts in the security tab, and we'll show alerts for any net new vulnerabilities on pull requests as well. We've tried to make this super developer friendly, but we'd love your feedback as we work through the beta.

If you're interested in trying it out, you can merge this pull request to set up the Actions workflow. You can also get this set up yourself in any additional repositories in this organization by following these instructions

@jhutchings1
Add CodeQL security scanning
f3e6ea9
@jhutchings1
Limit codeQL languages to Javascript only
d4d78f1 
Linguist detects a very small amount of additional language code, but given that JS/TS is the majority, I don't think we need to worry about complicating things further.
@connor4312 connor4312 requested a review from joaomoreno June 5, 2020 05:28
@jhutchings1 jhutchings1 marked this pull request as ready for review June 5, 2020 06:07
@joaomoreno
Copy link
Member

Have you found any issues so far in our code base? What specific kind of issues should arise from here? Some examples?

@jhutchings1
Copy link
Contributor Author

@joaomoreno I followed up offline with you in email about my findings. CodeQL is configurable, but our default set of queries is focused on finding the most precise, most severe security vulnerabilities that we can. We've tried to keep the noise way down so that this doesn't disrupt development teams. You can optionally enable more comprehensive queries which range from correctness and maintainability to more speculative security queries with a greater false positive rate.

@joaomoreno
Copy link
Member

@jhutchings1 Thanks for the follow up, I'll get to it asap, been busy.

@joaomoreno joaomoreno added this to the June 2020 milestone Jun 11, 2020
@joaomoreno joaomoreno merged commit 7bf3286 into microsoft:master Jun 11, 2020
@joaomoreno
Copy link
Member

Thanks, let's take this in!

@jhutchings1 jhutchings1 deleted the codeql branch June 11, 2020 17:12
@github-actions github-actions bot locked and limited conversation to collaborators Jul 26, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@joaomoreno joaomoreno Awaiting requested review from joaomoreno

Assignees

@joaomoreno joaomoreno

Labels
None yet
Projects
None yet
Milestone
June 2020
Development

Successfully merging this pull request may close these issues.
2 participants
@jhutchings1 @joaomoreno