DanBloomberg
commented
1 year ago Darn -- I liked them.
Closed stweil closed 1 year ago
DanBloomberg
commented
1 year ago Darn -- I liked them.
amitdo
commented
1 year ago Dan,
https://github.blog/2022-08-15-the-next-step-for-lgtm-com-github-code-scanning/
The replacement is CodeQL. You're already have a CodeQL workflow.
However, It seems you need to change some setting in the repository to actually see the alerts.
Here is how CodeQL's alerts are presented in Tesseract:
https://github.com/tesseract-ocr/tesseract/security/code-scanning
DanBloomberg
commented
1 year ago I can't see the tesseract/security/code-scanning link.
What workflow we should use with codeQL seems above my pay grade. Running the analyzer after every push seems like overkill, and I don't know the costs or the benefits. If Stefan has an opinion about what makes sense, I'd be happy to have him handle it.
amitdo
commented
1 year ago Maybe only the people that are members of the repo can see the alerts.
stweil
commented
1 year ago Yes, although CodeQL seems to be made by the same people as LGTM it looks much more complicated (like a typical Microsoft product). I still did not find out how to enable all reports from LGTM in CodeQL. Currently it only shows severe errors.
It is possible to configure how often continuous integration actions should run. I also wonder whether some runs might be overkill, and we should also consider that they cost electrical energy of course.
The security alerts are only visible for certain team members and selected people. That's similar for Coverity Scan, too. So Amit can add Dan to Tesseract, and Dan can add Amit to Leptonica. :-)
Signed-off-by: Stefan Weil sw@weilnetz.de