CodeQL workflow for Java #214
Conversation
![cko-developer-portal[bot]](https://avatars.githubusercontent.com/u/86670440?s=60&v=4){kind=small}
Change the runner to `ubuntu-latest`
Add gradle clean action
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
jheng-hao-lin-cko
requested review from
chintan-soni-cko and
fabio-insolia-cko
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| language: [ 'java' ] |
There was a problem hiding this comment.
Does this not need Kotlin on the list ?
There was a problem hiding this comment.
Not for now, if we look at here it states:
CodeQL treats Java and Kotlin as parts of the same language, so to enable Kotlin support you should enable java as a language.
Issue
PIMOB-2199
Why has this PR been raised?
The Engineering Experience and Security teams have been working together to help secure our repositories. This includes enabling Github features such as Advanced Security and Secret Scanning.
This PR is to add a Github Actions workflow for running CodeQL.
What is CodeQL?
CodeQL is the analysis engine used by developers to automate security checks, and by security, researchers to perform variant analysis.
In CodeQL, code is treated like data. Security vulnerabilities, bugs, and other errors are modeled as queries that can be executed against databases extracted from code. You can run the standard CodeQL queries, written by GitHub researchers and community contributors, or write your own to use in custom analyses. Queries that find potential bugs highlight the result directly in the source file.
See more details here.
What does my team need to do?
To run this workflow you might need to make a few changes to this file.
Some changes are:
Running on public runners
CodeQL workflow is pre-configured to run on self-hosted runners associated with your organization by default.
If organization does not have any self hosted runners, submit a request via Fresh Service(GitHub Organisation Self Hosted Runners Onboarding).
However, as an exception or in case of unforeseen failure you can update your workflow to run on public runners.
runs on: [...]toruns on: [ubuntu-latest]What should we do if we have any problems with this?
If you encounter any issues, please message the #ask-security channel, a Security Champion in your team or Engineering area, or Application Security (Andra Lezza)
Why has this PR been raised again, we closed the last one.
If your repo is not part of an exemption list and has been tagged as needing to be scanned, you will need to first merge the codeql-analysis*.yml file and kick off a code scan before closing the PR.