Open szlatkow opened 3 years ago
@aleks-ivanov In addition to SONAR_GITHUB_TOKEN, SONAR_TOKEN and CSA_ACCESS_TOKEN, I think I need to create another PAT named "GITHUB_TOKEN" right? What will be the minimum permission set for this token?
@aleks-ivanov In addition to SONAR_GITHUB_TOKEN, SONAR_TOKEN and CSA_ACCESS_TOKEN, I think I need to create another PAT named "GITHUB_TOKEN" right? What will be the minimum permission set for this token?
@JasonStein The documentation states that GITHUB_TOKEN
is created by default. Is it not listed??
@aleks-ivanov In addition to SONAR_GITHUB_TOKEN, SONAR_TOKEN and CSA_ACCESS_TOKEN, I think I need to create another PAT named "GITHUB_TOKEN" right? What will be the minimum permission set for this token?
@JasonStein The documentation states that
GITHUB_TOKEN
is created by default. Is it not listed??
Yes, it is there by default, ignore me.
@aleks-ivanov currently all the CodeQL alerts I see are for files in obj/
folder. These files are generated by xaml compiler and Notepads have no control over them. Is there any way alerts for these type of files can be ignored automatically??
@aleks-ivanov currently all the CodeQL alerts I see are for files in
obj/
folder. These files are generated by xaml compiler and Notepads have no control over them. Is there any way alerts for these type of files can be ignored automatically??
@soumyamahunt CodeQL does have ignore feature, but for whatever reason it works only for non-compiled languages.
In the workflows folder, you will find csa-bulk-dismissal.yml
which is basically a script that
you can execute manually and should take care of all those false positives. Check out the documentation for details on how to configure and use it. 🙂
@soumyamahunt CodeQL does have ignore feature, but for whatever reason it works only for non-compiled languages.
That's what I noticed too, ignore path only works for interpreted language and documentation is ambiguous about how to ignore path for static-compiled languages.
In the workflows folder, you will find
csa-bulk-dismissal.yml
which is basically a script that you can execute manually and should take care of all those false positives. Check out the documentation for details on how to configure and use it. 🙂
I modified the script there to allow dismissal by path matching besides matching description in #849.
Is your feature request related to a problem? Please describe. Open security vulnerabilities must be fixed.
Describe the solution you'd like Using built-in GitHub workflow system enables security checks and integrated CI/CD experience.
Describe alternatives you've considered Implement semantic versioning actions using tag generator
Implement CI/CD job sequence Run SonarCloud for static analysis Run GitHub Dependabot Run CodeQL rules Provide CI/CD documentation Implement App package signing with GitHub Secrets
Additional context We can provide you all those automations.
Svetlio from Pipeline Foundation.