-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable Jenkins Security Scan #100
Conversation
CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅ |
I have read the CLA Document and I hereby sign the CLA |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks again for opening this pull request.
I'm concerned about having security-events: write
with the pull_request
trigger, as it makes this repository vulnerable to security event changes. Please see my comments for more details.
See also - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
Co-authored-by: Yahav Itschak <[email protected]>
Co-authored-by: Yahav Itschak <[email protected]>
Co-authored-by: Yahav Itschak <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, @strangelookingnerd!
It is stated in the
JENKINS SECURITY POLICY
thatWe as plugin developers should try our best to support this. One way of doing so is to enable the Jenkins Security Scan on this repository. For more details see the documentation.
This PR may create new issues in the Code scanning section of this project once it is merged. I'd be happy to try and help resolve those if necessary.
Please note this PR was created semi-automatically. If you find any issue with it, don't hesitate to ping me.
For more details see the Jenkins Developers Google Group.
Submitter checklist