search

loculus-project / loculus

An open-source software package to power microbial genomic databases
https://loculus.org
GNU Affero General Public License v3.0
37 stars 2 forks source link

ci: add codeql config #2705

Closed corneliusroemer closed 2 months ago

corneliusroemer commented 2 months ago

Adds CodeQL config, which automatically scans for security vulnerabilities.

Python and Typescript work without custom config, but kotlin required some.

github-advanced-security[bot] commented 2 months ago

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

anna-parker commented 2 months ago

@corneliusroemer I see this error when I look into the security section on github: image - will this PR fix this or is https://github.com/github/codeql-action/issues/2378#issuecomment-2327705067 potentially still causing issues?

corneliusroemer commented 2 months ago

Great question @anna-parker - I should have been explicit.

  1. I set up codeql with default settings (no config file)
  2. This ran, it worked for Python and TS, it failed for kotlin
  3. This is the notification you see, that something failed
  4. I then switched to advanced config (having explicit config file)
  5. This is the PR here
  6. Based on how codeql works, the advanced config doesn't make the warning disappear until it's merged into main
  7. The codeql config here ran on this branch and it worked, so it shouldn't error again.

Hope this makes sense!