patcon
commented
4 years ago Didn't realize, but we need to join the beta: https://github.com/patcon/polisServer/actions/runs/203287010
Registered for my personal account here: https://github.com/features/security/advanced-security/signup
Pending branch: https://github.com/patcon/polisServer/tree/339-codeql
Re-ticketed from Gitter chat and https://github.com/actions/upload-artifact/pull/78
GitHub is working on a new tool to do automated vulnerability scanning: https://securitylab.github.com/tools/codeql
Video intro here: https://www.youtube.com/watch?v=58N0_0HCDPE
There's an action that runs CodeQL, which is the official way supported by GitHub -- we'll be manually adding it, but streamlined setup of this workflow will be integrated into the GitHub UI under "Security" tab in the future.
https://github.com/github/codeql-action
This feels like it could be really helpful, and might surface quite a bit of recommendations, given the long history of moving rapidly in the past.
I'm still investigating the best way to start using it on a codebase. (on PRs to look at new code? on mainline nightly? enabled before fixes to benchmark work to be done?)
Thoughts? Does this seems aligned with our goals, and worth doing? Anyone have any experience with this kinda of tool, good or bad?