Closed ChrisBAshton closed 3 months ago
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.
This will resolve the alert at https://gds.slack.com/archives/C02L13S214K/p1714381348726429.
NB, this took a bit of effort! We were seeing an error with the default code analysis:
We explored configuring the reusable workflow to take a
languages
input, but there doesn't seem to be a way of defaulting to 'undefined' if the parameter isn't passed, meaning we'd have to set a default of, say, 'ruby'. This would break the workflow for repos that may already be working with both Ruby and JS, where they'd be forced to pass thelanguages
parameter now.We also explored setting up CodeQL directly within the GitHub UI and explicitly opting out of Ruby to have JS only, but the reusable workflow still does a language detection and runs both JS and Ruby scans (the "JS only" scan appears as a separate job called "CodeQL / Analyze (javascript-typescript) (dynamic)"):
Eventually, on closer inspection, we found that the only ruby in this project was a disused Rakefile, so we removed it in https://github.com/alphagov/govuk-browser-extension/pull/198. Now the CodeQL scan passes.