Open codeboten opened 1 year ago
Hi @codeboten, thanks for opening this issue :slightly_smiling_face:
I was going through the items on the list and checked those which we already have enabled; I left out the ones I still have some open questions about (see points below):
main
- should we change our workflow to do the same?Are there any specific recommendations from the Security SIG on running CodeQL?
I asked the question to the security sig, and created https://github.com/open-telemetry/sig-security/issues/15 to track the recommendation.
Question: is any action necessary in this case? 🤔
I don't think there's any addiitonal steps no.
Hi @pichlermarc @codeboten , I would prefer to contribute here. I can add codeql GitHub action & as far as staticcheck tool is considered, how about we use TSLint which is native typescript staticcheck tool?
Hi @pichlermarc @codeboten , I would prefer to contribute here. I can add codeql GitHub action & as far as staticcheck tool is considered, how about we use TSLint which is native typescript staticcheck tool?
CodeQL seems like a good idea and a PR would be welcome. We are already using a linter which solves a different problem.
We're already running CodeQL via GitHub Action. 🙂
Vulnerability checking is something that we still need to do. We could run npm audit --omit=dev
for that though (some devDependencies we have to keep at an outdated version for now as we need to support older node runtimes). 🤔
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.
The security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:
Parent issue: https://github.com/open-telemetry/sig-security/issues/12