This repository has been archived by the owner on Oct 15, 2022. It is now read-only.
ci: add codeql scanning to repo #370
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Substrate CodeQL Scanning
In an effort to increase the Application Security bar at Stedi - the Substrate team is enabling CodeQL Scanning on all application code repositories at Stedi. GitHub's CodeQL is a static code anaylsis tool - specifically with the the goal of finding application level security vulnerabilities or misconfigurations, as well as meeting compliance/due dilligence obligations to our customers.
For an example of CodeQL in action against a serverless workload with real vulnerabilities - see a sample run here on the Damn Vulnerable Serverless Application
FAQ
Am I required to accept this PR?
No. However - it is highly recommended for any serious codebase at Stedi, and we purposely choose CodeQL tooling due to its low noise level, and fidelity of findings. If you choose not to accept this PR - please take the time to document the reasoning in a comment before closing the PR. Our tooling will not create additional pull requests UNLESS you change the name of the original PR to something else.
With that being said - security at Stedi is a partnership between service teams and Substrate - our tooling/processes cannot get better if people dont consume it and provide feedback.
What types of issues can CodeQL detect?
See the CodeQL Query Help guide for the language in question to get an idea of possible issues detectable by CodeQL. Feel free to engage #eng-substrate with additional questions
How do I view findings?
Findings make native use of the GitHub UI and can be viewed either:
Will CodeQL block our pipelines?
No, this is configured at the repo level anyway, and the service team retains full control of this. Findings will appear on PRs or at the Repo level in the security tab. Teams may choose to make CodeQL a blocking check if they wish once they are comfortable with it.
SAST tools tend to be noisy - will this produce incorrect results?
Our Tool evaluation process consisted of a Substrate engineer taking multiple SAST tools, running them against every repository in the company (local clones when possible), and then being tasked with handling all of the findings one-by-one. CodeQL stood out as a tool where we easily identified actual security issues in code, the amount of noise/useless findings were minimized, and we have the power to customize it to the unique application security needs at Stedi.
If you find a particular finding to be noisy - please reach out to #eng-substrate so we can investigate and potientially tune the query.
I don't understand a finding - what should I do?
The CodeQL Query Help are rather solid with both vulnerable code and remediation samples, but you can always engage #eng-substrate for direct help.