CodeQL Action #11657
Replies: 2 comments 1 reply
-
Hopefully it's not going to be as annoying as dependabot. Worth to see how it performs. |
Beta Was this translation helpful? Give feedback.
-
Initial run lists 10 issues: https://github.com/bokeh/bokeh/security/code-scanning Most of these are in test or example code and could be marked false positive. I guess the question is whether marking something once persists in to the future, or whether there is way to exclude tests/examples dirs (the current config will suppress runs unless there are changes under bokeh or bokehjs, but when there is a run, still examine everything). The "clear text logging" is also a false positive, since the intended and express purpose of that command is for users to run to generate and output new keys. The only one I wonder maybe we could try to find a way to improve is https://github.com/bokeh/bokeh/security/code-scanning/1?query=ref%3Arefs%2Fheads%2Fbranch-3.0 |
Beta Was this translation helpful? Give feedback.
-
Just an FYI I added a commit to enable CodeQL scanning from Github:
https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning
I just want to see what its output looks like and how it performs. We can discuss keeping it or not in a few days.
cc @mattpap
Beta Was this translation helpful? Give feedback.
All reactions