On Thu, Dec 2, 2021 at 4:11 PM Jean-Marc Meessen <[email protected]> wrote:
> While checking a reference project (file-parameter-plugin > <https://github.com/jenkinsci/file-parameters-plugin>) for proper CD > setup, I have seen that the repository is flagged as " > *jenkins-security-scan-enabled*". I understand, but maybe being just > naive, that some sort of static security analysis is enabled. > > I didn't see anything in the reference project or in the documentation > That was (is?) a prototype of security scans of all branches of a repo, rather than the "default branch only" approach mentioned in https://www.jenkins.io/blog/2020/11/04/codeql/ -- which is why the labeled repos are just plugins maintained by Mark, Oleg, Jesse or me. Since this approach doesn't scale all that well (all of the scanning on a private Jenkins security team CI instance that does not receive webhooks), I've abandoned making it official in favor of something like a GitHub Action I hope to still publish this year. Meanwhile, you are welcome to label your plugin repo, and within a day or two, you should see security scans show up in your repo at Security -> Code scanning alerts. (The same goes everyone else reading this, go nuts and make me make progress with the GH Actions!) Since it's unofficial, it may just disappear some time after I've published the official alternative, but if you read this list, you'll learn about that and can set that up instead. Since the findings are the same no matter how the scan is invoked, if they're unclear or otherwise unhelpful, please email me, or the jenkinsci-cert list, about them. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJz%3DqbJU3OC2k9gzrDsW-9H6eqUCG3Q77-r4u5JbOFz%3Dg%40mail.gmail.com.
