pfmoore
commented
8 months ago A number of those alerts seem to be for vendors dependencies. To be useful it would need to be possible to tell the tool to skip the _vendor directory. In general I would prefer it if the approach was configurable so that we could choose what checks to opt into and what files to check.
What's the problem this feature will solve?
This is following on from https://github.com/pypa/pip/issues/12564 to discuss whether pip maintainers would be interested in enabling CodeQL SAST scanning on the pip repository?
This would enable scanning for code security vulnerabilities during each Pull Request to reduce the risk of any vulnerabilities entering the pip codebase.
Describe the solution you'd like
Enabling CodeQL scanning in the default setup is relatively painless and involves just clicking a few buttons in the pip project settings security analysis page.
Alternatively, I would be happy to provide a PR for a CodeQL workflow file similar to what is used in the pypa/twine and pypa/packaging repositories.
After the first scan is completed, a baseline can be created by dismissing any alerts that don't need to be fixed (eg. alerts for code in tests).
I ran a quick test by enabling CodeQL on my fork of pip repository and it came back with these results (screenshot because it appears that my fork codeql scan results are not publicly accessible outside of the github project's maintainers):
Alternative Solutions
An alternative could be using SonarCloud but as that is a third-party tool, it would be simpler to stick with CodeQL integrated into GitHub.
Additional context
N/A
Code of Conduct