Add CodeQL security scanning#99411
Merged
joaomoreno merged 2 commits intomicrosoft:masterfrom Jun 11, 2020
jhutchings1:codeql
Merged
Add CodeQL security scanning#99411joaomoreno merged 2 commits intomicrosoft:masterfrom jhutchings1:codeql
joaomoreno merged 2 commits intomicrosoft:masterfrom
jhutchings1:codeql
Conversation
Linguist detects a very small amount of additional language code, but given that JS/TS is the majority, I don't think we need to worry about complicating things further.
Member
|
Have you found any issues so far in our code base? What specific kind of issues should arise from here? Some examples? |
Contributor
Author
|
@joaomoreno I followed up offline with you in email about my findings. CodeQL is configurable, but our default set of queries is focused on finding the most precise, most severe security vulnerabilities that we can. We've tried to keep the noise way down so that this doesn't disrupt development teams. You can optionally enable more comprehensive queries which range from correctness and maintainability to more speculative security queries with a greater false positive rate. |
Member
|
@jhutchings1 Thanks for the follow up, I'll get to it asap, been busy. |
Member
|
Thanks, let's take this in! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hi, I'm a PM on the GitHub security team. This repository is eligible to try the new GitHub Advanced Security code scanning beta.
Code scanning runs a static analysis tool called CodeQL which scans your code at build time to find any potential security issues. We've tuned the set of queries to be only the most severe, most precise issues. We'll show alerts in the security tab, and we'll show alerts for any net new vulnerabilities on pull requests as well. We've tried to make this super developer friendly, but we'd love your feedback as we work through the beta.
If you're interested in trying it out, you can merge this pull request to set up the Actions workflow. You can also get this set up yourself in any additional repositories in this organization by following these instructions