CodeQL workflow for JavaScript, Java, C#, Go, Ruby, Python #45
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why has this PR been raised?
The Engineering Experience and Security teams have been working together to help secure our repositories. This includes enabling Github features such as Advanced Security and Secret Scanning.
This PR is to add a Github Actions workflow for running CodeQL.
What is CodeQL?
CodeQL is the analysis engine used by developers to automate security checks, and by security, researchers to perform variant analysis.
In CodeQL, code is treated like data. Security vulnerabilities, bugs, and other errors are modeled as queries that can be executed against databases extracted from code. You can run the standard CodeQL queries, written by GitHub researchers and community contributors, or write your own to use in custom analyses. Queries that find potential bugs highlight the result directly in the source file.
See more details here.
What does my team need to do?
To run this workflow you might need to make a few changes to this file.
Some changes are:
Running on public runners
CodeQL workflow is pre-configured to run on self-hosted runners associated with your organization by default.
If organization does not have any self hosted runners, submit a request via Fresh Service(GitHub Organisation Self Hosted Runners Onboarding).
However, as an exception or in case of unforeseen failure you can update your workflow to run on public runners.
runs on: [...]
toruns on: [ubuntu-latest]
What should we do if we have any problems with this?
If you encounter any issues, please message the #ask-security channel, a Security Champion in your team or Engineering area, or Application Security (Andra Lezza)
Why has this PR been raised again, we closed the last one.
If your repo is not part of an exemption list and has been tagged as needing to be scanned, you will need to first merge the codeql-analysis*.yml file and kick off a code scan before closing the PR.