sonarcloud[bot]
commented
6 months ago 
Quality Gate passed
Issues
0 New issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
Open cko-developer-portal[bot] opened 1 year ago
sonarcloud[bot]
commented
6 months ago Quality Gate passedIssues
0 New issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
Why has this PR been raised?
The Engineering Experience and Security teams have been working together to help secure our repositories. This includes enabling Github features such as Advanced Security and Secret Scanning.
This PR is to add a Github Actions workflow for running CodeQL.
What is CodeQL?
CodeQL is the analysis engine used by developers to automate security checks, and by security, researchers to perform variant analysis.
In CodeQL, code is treated like data. Security vulnerabilities, bugs, and other errors are modeled as queries that can be executed against databases extracted from code. You can run the standard CodeQL queries, written by GitHub researchers and community contributors, or write your own to use in custom analyses. Queries that find potential bugs highlight the result directly in the source file.
See more details here.
What does my team need to do?
To run this workflow you might need to make a few changes to this file.
Some changes are:
Running on public runners
CodeQL workflow is pre-configured to run on self-hosted runners associated with your organization by default. If organization does not have any self hosted runners, submit a request via Fresh Service(GitHub Organisation Self Hosted Runners Onboarding).
However, as an exception or in case of unforeseen failure you can update your workflow to run on public runners.
runs on: [...]toruns on: [ubuntu-latest]What should we do if we have any problems with this?
If you encounter any issues, please message the #ask-security channel, a Security Champion in your team or Engineering area, or Application Security (Andra Lezza)
Why has this PR been raised again, we closed the last one.
If your repo is not part of an exemption list and has been tagged as needing to be scanned, you will need to first merge the codeql-analysis*.yml file and kick off a code scan before closing the PR.