zacowan
commented
1 year ago Looks like these are ALL actually for the bundled pnpm.js file, which may be from the actual pnpm repo?
Open zacowan opened 1 year ago
zacowan
commented
1 year ago Looks like these are ALL actually for the bundled pnpm.js file, which may be from the actual pnpm repo?
KSXGitHub
commented
1 year ago Can you create a PR that setups Code Scanning for all files except dist and pnpm.js?
zacowan
commented
1 year ago Can you create a PR that setups Code Scanning for all files except
distandpnpm.js?
It looks like there's a way to set up "advanced code scanning", which is effectively just a workflow file. Looking at the options for this though, I'm not noticing any options for filtering out which files to scan. I'm looking through the "Configuring advanced setup" and "Customizing code scanning" sections - do you see anything I'm missing?
I imagine (if you don't find anything) that the idea is if you don't scan a part of a repository for code security scanning, then that kinda defeats the purpose, since there will always be some part of the repo that won't be secure 😅
KSXGitHub
commented
1 year ago I imagine (if you don't find anything) that the idea is if you don't scan a part of a repository for code security scanning
Ah, I see. Then we would have to update the pnpm.js to the latest version, assuming pnpm itself passes the code scanning.
GitHub provides a code-scanning tool (Settings > Code Security and Analysis > Code Scanning) named CodeQL that helps identify common code quality and security issues. When enabling this in a fork of the repo, there appears to be 30 code quality issues that CodeQL recommends addressing. Some of these are in the
distfolder, so there's likely some level of duplication that should mean less than 30 code issues.It would be useful to address these code quality/security issues to improve the security and reliability of this action.