Add codeql semantic analysis #45
Conversation
jankapunkt
added
enhancement ✨
|
The detailed list of the analysis (checked known CWEs for example) can be viewed in the action's log (only members): https://github.com/node-oauth/node-oauth2-server/pull/45/checks?check_run_id=3903646993 |
|
@HappyZombies we can set the threshold for errors in the security and analysis tab in the settings: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository However I don't have access to it. can you elevate my access to this specific tab? |
|
Note, that "Code scanning results / CodeQL" will not be able before being merged. It's basically comparing the PR with the base branch and informs, how many vulnerabilities have been fixed or new introduced, compared to the base branch. |
|
This was a really good idea @jankapunkt. I didn't even realize it existed so thanks for the head up! |
|
@jankapunkt I totally missed your message in asking for more access 🤦 I went ahead and gave you admin. |
This adds a new CodeQl analysis to our CI for every pull request (https://github.com/github/codeql-action)
Additionally the analysis runs sheduled every night at 2am
The queries can be found here: https://github.com/github/codeql/tree/main/javascript/config/suites/javascript