adamdmharvey
commented
3 months ago Here's how it now looks on my fork:
Closed adamdmharvey closed 3 months ago
adamdmharvey
commented
3 months ago Here's how it now looks on my fork:
spencerschrock
commented
3 months ago But since Go was added, JavaScript should no longer be necessary.
I believe the JS analysis also covers things like GitHub Actions: https://codeql.github.com/codeql-query-help/javascript/js-actions-command-injection/
It's caught things for us before on ossf/scorecard
adamdmharvey
commented
3 months ago It's caught things for us before on ossf/scorecard
Thanks for the feedback! Will check into that.
For this repo at least, the Action notes:
CodeQL scanned 1 out of 1 JavaScript files in this invocation. Check the status page for overall coverage information: https://github.com/ossf/scorecard-action/security/code-scanning/tools/CodeQL/status/
I checked an action on ossf/scorecard, and indeed that one is scanning 222 "extracted" JavaScript files (even though the repo contains one actual file). Seems it's extracting JavaScript OUT of some of the workflows themselves, which it's not doing in this repo.
adamdmharvey
commented
3 months ago Looks like the difference may be this repo isn't doing:
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # v1
with:
languages: ${{ matrix.language }}
+ queries: +security-extendedMaybe the alternative is to turn that ON here too?
spencerschrock
commented
3 months ago At least based on this doc
"Expression injection in Actions" is listed for both default and security-extended
adamdmharvey
commented
3 months ago Will give this a close, based on the point re: validating extracted/interpreted JS through embeddings in actions. Good feedback thx!
This PR eliminates the JavaScript CodeQL scanning in the Actions workflows.
Currently, each PR scans both Go and JavaScript:
However, the only JavaScript in the repo is a single file. This file was added via https://github.com/ossf/scorecard-action/pull/23 when the CodeQL workflow was breaking; but it was breaking because there was NO CodeQL scanning language set at the time. (so the "fix" was to go from none, to JavaScript, adding the single line JavaScript file which just spits out to console the word "codeql" 😁 ) But since Go was added, JavaScript should no longer be necessary.
This will eliminate about 1.5 minutes of CodeQL workflow scanning during each actions run.
No release should be necessary.