That makes sense Jacques. It is critical. I tried with one of my repositories and found that Code scanning alerts under Security are only visible to people with write access i.e. Committers.
Citation from article Managing code scanning alerts for your repository[1] *"Anyone with read permission for a repository can see code scanning alerts on pull requests. However, you need write permission to view a summary of alerts for repository on the Security tab."* Though I will spend some more time checking its behavior with other scenarios like PR. 1. https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository#viewing-an-alert Thanks and Regards, Aditya Sharma On Fri, Oct 2, 2020 at 10:19 PM Jacques Le Roux < [email protected]> wrote: > Hi Aditya, > > We (I at least) receive already security alerts for our website code. It > notably leaded to https://gitbox.apache.org/repos/asf?p=ofbiz-site.git > > As long are we are able to restrict the alerts sending to committers, it's > OK with me. I'd not like other people to receive zero days information... > > Thanks > > Jacques > > Le 02/10/2020 à 15:06, Aditya Sharma a écrit : > > Hi team, > > > > I think we can enable the code scanning security feature for all the > OFBiz > > repositories available with GitHub that helps identifying security > > vulnerabilities using CodeQL. > > > > https://github.com/apache/ofbiz-framework/security/code-scanning > > https://securitylab.github.com/tools/codeql > > > > Citation from > > > https://www.infoworld.com/article/3453742/github-makes-codeql-free-for-research-and-open-source.html > > : > > *"CodeQL, a semantic code analysis engine and query tool for finding > > security vulnerabilities across a codebase, has been made available for > > free by GitHub for anyone to use in research or to analyze open source > > code."* > > > > If no one is against it, I will move ahead with it. > > > > Thanks and Regards, > > Aditya Sharma > >
