Skip to content
This repository has been archived by the owner on Aug 6, 2022. It is now read-only.

ci: add codeql scanning to repo #1

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Conversation

rileydakota
Copy link

Substrate CodeQL Scanning

⚠️ This PR was auto-created by Substrate

In an effort to increase the Application Security bar at Stedi - the Substrate team is enabling CodeQL Scanning on all application code repositories at Stedi. GitHub's CodeQL is a static code anaylsis tool - specifically with the the goal of finding application level security vulnerabilities or misconfigurations, as well as meeting compliance/due dilligence obligations to our customers.

For an example of CodeQL in action against a serverless workload with real vulnerabilities - see a sample run here on the Damn Vulnerable Serverless Application

FAQ

Am I required to accept this PR?

No. However - it is highly recommended for any serious codebase at Stedi, and we purposely choose CodeQL tooling due to its low noise level, and fidelity of findings. If you choose not to accept this PR - please take the time to document the reasoning in a comment before closing the PR. Our tooling will not create additional pull requests UNLESS you change the name of the original PR to something else.

With that being said - security at Stedi is a partnership between service teams and Substrate - our tooling/processes cannot get better if people dont consume it and provide feedback.

What types of issues can CodeQL detect?

See the CodeQL Query Help guide for the language in question to get an idea of possible issues detectable by CodeQL. Feel free to engage #eng-substrate with additional questions

How do I view findings?

Findings make native use of the GitHub UI and can be viewed either:

  • At the Repo Level by clicking the Security tab and then clicking Code Scanning
  • At the PR level findings will be shown inline with the code

Will CodeQL block our pipelines?

No, this is configured at the repo level anyway, and the service team retains full control of this. Findings will appear on PRs or at the Repo level in the security tab. Teams may choose to make CodeQL a blocking check if they wish once they are comfortable with it.

SAST tools tend to be noisy - will this produce incorrect results?

Our Tool evaluation process consisted of a Substrate engineer taking multiple SAST tools, running them against every repository in the company (local clones when possible), and then being tasked with handling all of the findings one-by-one. CodeQL stood out as a tool where we easily identified actual security issues in code, the amount of noise/useless findings were minimized, and we have the power to customize it to the unique application security needs at Stedi.

If you find a particular finding to be noisy - please reach out to #eng-substrate so we can investigate and potientially tune the query.

I don't understand a finding - what should I do?

The CodeQL Query Help are rather solid with both vulnerable code and remediation samples, but you can always engage #eng-substrate for direct help.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant