Mojaloop DevSecOps Enhancements - Trial with CodeQL SAST

[godfreykutumela]

Goal:

Test the suitability of GitHub CodeQL as Mojaloop's static application security testing (SAST) tool.

Static application security testing (SAST), or static analysis, is a testing methodology that analyzes source code to find security vulnerabilities that make your organization’s applications susceptible to attack. SAST scans an application before the code is compiled. It’s also known as white box testing.

Acceptance Criteria:

• [ ] TBD

Complexity: Medium

Uncertainty: Medium

---

Tasks:

• [ ] TBD [ @? ]

Done

• [ ] Acceptance Criteria pass
• [ ] Designs are up-to date
• [ ] Unit Tests pass
• [ ] Integration Tests pass
• [ ] Code Style & Coverage meets standards
• [ ] Changes made to config (default.json) are broadcast to team and follow-up tasks added to update helm charts and other deployment config.
• [ ] TBD

Pull Requests:

• [ ] TBD

Follow-up:

• N/A

Dependencies:

• N/A

Accountability:

• Owner: @lewisdaly @bukasaaime
• QA/Review: @godfreykutumela

[godfreykutumela]

https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning

[godfreykutumela]

Hi @elnyry-sam-k we planned to complete this task this PI so please nominate who can work with us on this one from the core team - Implementation will be based on the CodeQL SAST tool which is free in our Github subscription.

[elnyry-sam-k]

hi Godfrey, as we discussed, once we move to the enterprise version of Mojaloop (free plan for OSS) and enable this, lets review the scope and discuss further steps.

[godfreykutumela]

Hi @simeonoriko Can you please update on the process of migrating to the enterprise version? This is a block to enable CodeQL SAST

[godfreykutumela]

Blocked by the lack CodeQL license - Awaiting for a free license from Github as part of the migration to GitHub enterprise.