Add analysis workflows for SonarQube and CodeQL #1158
Conversation
peternied
requested review from
AndreKurait,
chelma,
gregschohn,
lewijacn,
mikaylathompson and
sumobrian
as code owners
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
This repo has an asychronous process where SonarQube rules are run several hours after code has merged. This creates a life-cycle where code is reviewed approved and merged and then needs to be updated in a second PR. This change introduces two new workflows to minimize the afterwork required for changes in this repo, by running CodeQL which is built into GitHub for security risk detection and SonarQube with its set of issues based on security issues, code smells, and bug detectors. These new workflows are being added without any fixes or adjustments to the codebase to be handled in an ongoing basis. Signed-off-by: Peter Nied <[email protected]>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1158 +/- ##
=========================================
Coverage 80.76% 80.76%
Complexity 2948 2948
=========================================
Files 400 400
Lines 15104 15104
Branches 1021 1021
=========================================
Hits 12199 12199
Misses 2288 2288
Partials 617 617
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚨 Try these New Features:
|
Signed-off-by: Peter Nied <[email protected]>
| push: | ||
| pull_request: | ||
| schedule: | ||
| - cron: '25 22 * * 0' |
There was a problem hiding this comment.
What is this schedule for?
There was a problem hiding this comment.
It makes sure even if nothing is pushed during a week main branch is scanned in case new security definitions are created.
Description
This repo has an asynchronous process where SonarQube rules are run several hours after code has merged. This creates a life-cycle where code is reviewed approved and merged and then needs to be updated in a second PR.
This change introduces two new workflows to minimize the after-work required for changes in this repo, by running CodeQL which is built into GitHub for security risk detection and SonarQube with its set of issues based on security issues, code smells, and bug detectors.
These new workflows are being added without any fixes or adjustments to the codebase to be handled in an ongoing basis.
Issues Resolved
Testing
See failed workflow step and annotations on the pull request.
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.