weirdan
commented
1 year ago I suppose we need to fix the build first.
Open eroullit opened 1 year ago
weirdan
commented
1 year ago I suppose we need to fix the build first.
eroullit
commented
1 year ago Hey @weirdan ! đź‘‹
The build is back in shape and we start getting positive feedback about it ✨
I would like to finalise the work initiated on the starter-workflow repo to make it a breeze to integrate Psalm Security Scan workflow in a repo.
For that, the psalm/psalm-github-security-scan action would need to be enrolled in the GitHub technology partner program.
weirdan
commented
1 year ago That form doesn't make much sense to me. We're not a business (none of the active maintainers, for sure). Vimeo likely holds the copyright (@muglug can you clarify?) but is not actively involved in Psalm anymore, as far as I can tell.
eroullit
commented
1 year ago Hey @weirdan ! đź‘‹
The technical partner program is mainly for third components which are integrated in GitHub itself or in its Marketplace..
Its related terms and conditions can be found here and they would need to be agreed by the current maintainers.
muglug
commented
1 year ago Hey! The main worry I have here is the increased burden on Psalm’s volunteer maintainers when someone starts using security analysis via this workflow, having not used Psalm before.
Psalm’s security analysis works best in the hands of a security researcher who understands the capabilities of it and similar tools. I’m concerned that push-button workflows that lack a contractual commitment might create an onerous amount of work.
eroullit
commented
1 year ago First and foremost, I would like to thanks you for maintain Psalm and all related actions. ❤️
It is already helping greatly all PHP-based open source software developers and security researchers to find defects on already existing codebase but also on newly developed code.
User’s feedback about alerts raised by Psalm has been very positive overall. Even more so since the Psalm security action has been updated.
Many open-source projects backed either by companies or volunteers have chosen to have dedicated starter workflows to give users an easy and correct way to setup the first version of their static analysis workflows such as:
So far, the synergies between the security researchers building these tools and the developers have been a boon for software security allowing them to ship safer and better code overall.
griffinashe
commented
1 year ago Hi @muglug, I work on our security ecosystem team here at GitHub. Would you be open to talking through this some time soon?
orklah
commented
1 year ago Hey @griffinashe! Matt no longer works on Psalm. I could try to answer your questions though I'm not exactly sure to understand all the ins and out of what is suggested in this thread
griffinashe
commented
1 year ago @orklah - Sorry for the delayed response. If you email me @griffinashe@github.com with some times that work for you the week of July 10th or July 17th I can send an invite out to discuss.
orklah
commented
1 year ago I'm not very used to have oral discussion in English. Could that be an email or a chat?
griffinashe
commented
1 year ago @orklah Of course. Please send me an email at the address in my previous message and we can discuss there.
Hi Psalm Team ! đź‘‹
GitHub offers a wide variety of starter workflows to help the community integrate new CI pipelines quickly and efficiently.
I have prepared a pull request aiming to integrate Psalm Security Scan workflow within it. To finalise it, your action would need to be registered in GitHub technology partner program
If you are interested, could you fill out this form ?
In any case, feel free to contact me.