Actions for code scanning

scientistproject / Scientist.net

A .NET library for carefully refactoring critical paths. It's a port of GitHub's Ruby Scientist library

MIT License

1.46k stars 95 forks source link

Actions for code scanning #138

Closed JoshHiles closed 2 years ago

JoshHiles commented 3 years ago

Description

As a maintainer, I want code scanning to be ran on a PR So that automatically detect common vulnerability and coding errors

Acceptance Criteria

When a PR is open a action runs
- CodeQL Analysis
The PR status for the code scanning
- When fails is red & wont allow the PR to be merged
- When success is green and will allow the PR to be merged

M-Zuber commented 3 years ago

What are the current top options here? can we use dependabot for this?

JoshHiles commented 3 years ago

So dependabot is for dependecy updates & dependabot i think still does security alerting on packages e.g. Package.Package 4.0.2 has an update to 4.0.3 and dependabot will open a PR to upgrade that version or security alert on 4.0.3 detected sort of thing

code scanning is to detect common vulnerability and coding errors top option id go for is CodeQL Analysis which can be setup with the repo

marblekirby commented 3 years ago

i can start looking at this issue next, will add CodeQL Analysis as an action

Please assign me, thanks

JoshHiles commented 3 years ago

Sorry @marblekirby only just seen your comment!

marblekirby commented 3 years ago

That is ok, I didn't round to adding codeql in quick enough anyway, will assign @JoshHiles