That's definitely a great idea! Would of course be great if you could create a PR to add this to our CI pipeline. >From the docs it sounds like this can be configured just like any other GH Action. So, it should be possible to add this via a PR, right? Or are there any additional permissions needed to enable this?
-----Ursprüngliche Nachricht----- Von: Cole Greer <[email protected]> Gesendet: Dienstag, 3. Januar 2023 23:44 An: Dev Tinkerpop <[email protected]> Betreff: [DISCUSS] Adding Security Scanning to CI Hi all, I wanted to gauge interest in adding CodeQL to our Github Actions to add automated vulnerability checks to our CI pipeline. Alexey Temnikov has already done a test run on a Tinkerpop fork which found an unsafe type conversion in gremlin-go as well as raising several warnings from code in both prism.js and jquery.js (both used for the site). The total execution time for job was 1h:50m (runs in parallel to the existing build-test workflow). The vast majority of this execution time (1h:42m) was spent building all of our C# code using CodeQLs autobuilder. This runtime should be drastically improved by properly configuring a manual build for C#. With this build bottleneck alleviated, total execution time should be under 30 min. I would suggest that if we proceed with enabling CodeQL, we initially configure it to ignore prism.js and jquery.js as those files in their current form will fail the scan. All warnings raised in those files should be discussed and a decision made whether it is worth pursuing any fixes. For anyone looking for more information, the Github docs<https://docs.github.com/en/code-security/code-scanning/automatically-sc anning-your-code-for-vulnerabilities-and-errors/about-code-scanning> are a good resource as well as the CodeQL<https://codeql.github.com/> website. Thanks, Cole Greer
