Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security scanning with CodeQL and Grype #1282

Merged
merged 27 commits into from
Oct 7, 2022
Merged

Security scanning with CodeQL and Grype #1282

merged 27 commits into from
Oct 7, 2022

Conversation

apetkau
Copy link
Member

@apetkau apetkau commented May 20, 2022
edited
Loading

Description of changes

Sets up code scanning using GitHub actions. In particular, two methods for code scanning are provided:

  • CodeQL: This scans both the Java and JavaScript code for potential vulnerabilities or security issues in our code.
  • Anchor Security Scan: This builds the IRIDA WAR package and scans for vulnerable Java dependencies using the Grype security tool.

Both of these tools compile results into a SARIF file format, which can be integrated with GitHub. In particular, results of code scanning will show up in the Checks tab of a pull request, as well as the Security tab of the repository.

Code scanning results for a particular Pull request are available to view for anyone who has read permission to the repository. A summary of all results provided in the Security tab are only available for those with write permissions to the repository. See Managing code scanning alerts for your repository for more details.

You can configure security levels that cause pull-request failures in the Security section of the Repository Settings (I have it currently set to only failure for Critical security alerts).

Related issue

Implements #1335

Checklist

Things for the developer to confirm they've done before the PR should be accepted:

  • CHANGELOG.md (and UPGRADING.md if necessary) updated with information for new change.
  • Tests added (or description of how to test) for any new features.
  • [ ] User documentation updated for UI or technical changes.

@apetkau apetkau mentioned this pull request May 20, 2022
Closed
3 tasks
@apetkau apetkau changed the title WIP:Code scanning with CodeQL Code scanning with CodeQL Jun 29, 2022
@apetkau apetkau changed the title Code scanning with CodeQL Security scanning with CodeQL and Grype Jun 29, 2022
@apetkau apetkau marked this pull request as ready for review October 7, 2022 14:42
ericenns
ericenns approved these changes Oct 7, 2022
View reviewed changes
Copy link
Member

@ericenns ericenns left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Thanks for adding this @apetkau

@ericenns ericenns merged commit 43b8c6e into development Oct 7, 2022
@ericenns ericenns deleted the feature/enable-code-scanning branch October 7, 2022 18:44
@apetkau apetkau mentioned this pull request Oct 7, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ericenns ericenns ericenns approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@apetkau @ericenns