search

0x7c13 / Notepads

A modern, lightweight text editor with a minimalist design.
https://www.NotepadsApp.com
MIT License
8.69k stars 478 forks source link

[Feature request] Implement GitHub DevSecOps workflow. #750

Open szlatkow opened 3 years ago

szlatkow commented 3 years ago

Is your feature request related to a problem? Please describe. Open security vulnerabilities must be fixed.

Describe the solution you'd like Using built-in GitHub workflow system enables security checks and integrated CI/CD experience.

Describe alternatives you've considered Implement semantic versioning actions using tag generator

Implement CI/CD job sequence Run SonarCloud for static analysis Run GitHub Dependabot Run CodeQL rules Provide CI/CD documentation Implement App package signing with GitHub Secrets

Additional context We can provide you all those automations.

Svetlio from Pipeline Foundation.

0x7c13 commented 3 years ago

@aleks-ivanov In addition to SONAR_GITHUB_TOKEN, SONAR_TOKEN and CSA_ACCESS_TOKEN, I think I need to create another PAT named "GITHUB_TOKEN" right? What will be the minimum permission set for this token?

soumyamahunt commented 3 years ago

@aleks-ivanov In addition to SONAR_GITHUB_TOKEN, SONAR_TOKEN and CSA_ACCESS_TOKEN, I think I need to create another PAT named "GITHUB_TOKEN" right? What will be the minimum permission set for this token?

@JasonStein The documentation states that GITHUB_TOKEN is created by default. Is it not listed??

0x7c13 commented 3 years ago

@aleks-ivanov In addition to SONAR_GITHUB_TOKEN, SONAR_TOKEN and CSA_ACCESS_TOKEN, I think I need to create another PAT named "GITHUB_TOKEN" right? What will be the minimum permission set for this token?

@JasonStein The documentation states that GITHUB_TOKEN is created by default. Is it not listed??

Yes, it is there by default, ignore me.

soumyamahunt commented 3 years ago

@aleks-ivanov currently all the CodeQL alerts I see are for files in obj/ folder. These files are generated by xaml compiler and Notepads have no control over them. Is there any way alerts for these type of files can be ignored automatically??

aleks-ivanov commented 3 years ago

@aleks-ivanov currently all the CodeQL alerts I see are for files in obj/ folder. These files are generated by xaml compiler and Notepads have no control over them. Is there any way alerts for these type of files can be ignored automatically??

@soumyamahunt CodeQL does have ignore feature, but for whatever reason it works only for non-compiled languages.

In the workflows folder, you will find csa-bulk-dismissal.yml which is basically a script that you can execute manually and should take care of all those false positives. Check out the documentation for details on how to configure and use it. 🙂

soumyamahunt commented 3 years ago

@soumyamahunt CodeQL does have ignore feature, but for whatever reason it works only for non-compiled languages.

That's what I noticed too, ignore path only works for interpreted language and documentation is ambiguous about how to ignore path for static-compiled languages.

In the workflows folder, you will find csa-bulk-dismissal.yml which is basically a script that you can execute manually and should take care of all those false positives. Check out the documentation for details on how to configure and use it. 🙂

I modified the script there to allow dismissal by path matching besides matching description in #849.