Enable CodeQL Security Scan #12870
Enable CodeQL Security Scan #12870
Conversation
|
@VinodAnandan My concern is that we'll start getting a lot of false alarms. Where are the results reported to ? |
|
|
||
| - if: matrix.language == 'java' | ||
| name: Build Java | ||
| run: mvn -B --settings .github/mvn-settings.xml clean install -DskipTests=true |
| # The branches below must be a subset of the branches above | ||
| branches: [master] | ||
| schedule: | ||
| - cron: '0 16 * * 4' |
There was a problem hiding this comment.
Maybe let's do it on Sunday when the activity is low.
There was a problem hiding this comment.
And every 2nd Sunday for example ?
|
@sberyozkin @gsmet Thank you very much for reviewing my pull request. The CodeQL only focuses on the security issues unlike the sonarcloud and there are not that many findings. Most of the findings are related to the test code. I believe the findings access will be restricted based on repo permission. You can access them by visiting this URL " https://github.com/quarkusio/quarkus/security/code-scanning " or navigate to the "Security" tab and then "Code scanning alerts" I have modified to weekly (Sunday) scan and I think it should be minimum. I am happy to help to enable the sonarcloud scans for the pull requests. Could you please review it again? |
|
Squashed the commits and merged, thanks! I'll check the report tomorrow. |
https://github.blog/2020-09-30-code-scanning-is-now-available/
#11247