Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🌱 Add GitHub workflow to scan project with CodeQL #4252

Merged
merged 1 commit into from
Oct 31, 2024
Merged

🌱 Add GitHub workflow to scan project with CodeQL #4252

merged 1 commit into from
Oct 31, 2024

Conversation

camilamacedo86
Copy link
Member

@camilamacedo86 camilamacedo86 commented Oct 30, 2024
edited
Loading

This workflow introduces CodeQL to automatically scan the project for security vulnerabilities, supporting efforts to maintain a secure codebase. It also helps us comply with standards like the Cybersecurity Certification Act (CCA) by ensuring continuous security monitoring.

Motivated by: #3712

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: camilamacedo86

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Oct 30, 2024
@camilamacedo86 camilamacedo86 force-pushed the add-codeql-sec branch 2 times, most recently from 4c80737 to d6cf181 Compare October 30, 2024 10:10
grzesuav
grzesuav reviewed Oct 30, 2024
View reviewed changes
.github/workflows/codeql.yml Outdated
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
Copy link

@grzesuav grzesuav Oct 30, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can't go be hardcoded here ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thx good point, I think we can simplify it !

grzesuav
grzesuav reviewed Oct 30, 2024
View reviewed changes
.github/workflows/codeql.yml Outdated
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}

- if: matrix.language == 'go' && matrix.build-mode == 'manual'
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure when this condition is true (manual build mode)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thx good point, I think we can simplify it !

@camilamacedo86
Add GitHub workflow for CodeQL security scanning
d4ddf42 
This workflow introduces CodeQL to automatically scan the project for security vulnerabilities, supporting efforts to maintain a secure codebase. It also helps us comply with standards like the Cybersecurity Certification Act (CCA) by ensuring continuous security monitoring.
@camilamacedo86
Copy link
Member Author

camilamacedo86 commented Oct 31, 2024
edited
Loading

Hi @grzesuav

Really thank you for your review.
All addressed it is very simplified now.

So, since it is just a check that does not impact the end users and we addressed all I am moving forward
make no sense I make nobody waste so much time on reviews.

However, if you see any possible improvement here as anybody else please feel free to push a PR with your suggestions.
Also, we need to check if that will work fine in the settings and we can always revisit remove or change this one if we see fit.

@camilamacedo86 camilamacedo86 added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 31, 2024
@k8s-ci-robot k8s-ci-robot merged commit dd6b632 into kubernetes-sigs:master Oct 31, 2024
20 checks passed
camilamacedo86 added a commit that referenced this pull request Oct 31, 2024
@camilamacedo86
Update codeql.yml to run the workflow once per week only
5a0f049 
Follow up of : #4252

We do not want to run for each Pull Request.
Execute it once per week is more than enough
@camilamacedo86 camilamacedo86 mentioned this pull request Oct 31, 2024
Merged
camilamacedo86 added a commit that referenced this pull request Oct 31, 2024
@camilamacedo86
🌱 Update codeql.yml to run the workflow once per week only (#4277)
2232cd2 
Update codeql.yml to run the workflow once per week only

Follow up of : #4252

We do not want to run for each Pull Request.
Execute it once per week is more than enough
@camilamacedo86 camilamacedo86 deleted the add-codeql-sec branch October 31, 2024 12:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@grzesuav grzesuav grzesuav left review comments

@everettraven everettraven Awaiting requested review from everettraven

@Kavinjsir Kavinjsir Awaiting requested review from Kavinjsir

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@camilamacedo86 @k8s-ci-robot @grzesuav