Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub Actions: Implement CodeQL #2400

Closed
9 tasks done
macho-catt opened this issue Oct 26, 2021 · 61 comments · Fixed by #4886
Closed
9 tasks done

GitHub Actions: Implement CodeQL #2400

macho-catt opened this issue Oct 26, 2021 · 61 comments · Fixed by #4886
Assignees
@SAUMILDHANKAR
Labels
Complexity: Large Feature: Board/GitHub Maintenance Project board maintenance that we have to do repeatedly role: back end/devOps Tasks for back-end developers size: 2pt Can be done in 7-12 hours
Milestone
02. Security

Comments

@macho-catt
Copy link
Member

macho-catt commented Oct 26, 2021
edited by SAUMILDHANKAR
Loading

Overview

As a developer, we need to ensure that we write secure code and defend against vulnerabilities. To do so, we need to configure code scanning using CodeQL.

Action Items

  • Research and investigate how we can use CodeQL
    • Any notes should be documented in this ticket or should be stored on the website team's Google Drive
  • We want CodeQL to scan the vulnerabilities for the following:
    • JS code
    • GitHub Actions
    • Liquid
  • Create a prototype on your own fork of the repository
  • Schedule a time with the dev team and the lead to demo your findings and implementation
  • Once approved, write a pull request to implement CodeQL

Resources/Instructions

Code Scanning in GitHub
About CodeQL
Events that trigger workflows
Workflow syntax for GitHub Actions
actions/github-script
GitHub RESTAPI
@macho-catt macho-catt added role: back end/devOps Tasks for back-end developers Complexity: Large Feature: Board/GitHub Maintenance Project board maintenance that we have to do repeatedly Ready for Prioritization labels Oct 26, 2021
@github-actions

This comment was marked as resolved.

Sign in to view
@macho-catt macho-catt mentioned this issue Oct 26, 2021
Open
12 tasks
@ExperimentsInHonesty ExperimentsInHonesty added this to the 02. Security milestone Oct 31, 2021
@SAUMILDHANKAR SAUMILDHANKAR added the size: 2pt Can be done in 7-12 hours label Mar 8, 2022
@Sparky-code Sparky-code reopened this Mar 9, 2022
@Providence-o Providence-o mentioned this issue Apr 7, 2022
Open
2 tasks
@SAUMILDHANKAR SAUMILDHANKAR mentioned this issue Apr 8, 2022
Closed
8 tasks
@SAUMILDHANKAR SAUMILDHANKAR self-assigned this May 11, 2022
@SAUMILDHANKAR

This comment was marked as outdated.

Sign in to view
@github-actions github-actions bot added Status: Updated No blockers and update is ready for review 2 weeks inactive An issue that has not been updated by an assignee for two weeks and removed Status: Updated No blockers and update is ready for review labels May 13, 2022
@github-actions

This comment was marked as resolved.

Sign in to view
@SAUMILDHANKAR

This comment was marked as outdated.

Sign in to view
@SAUMILDHANKAR SAUMILDHANKAR added Status: Updated No blockers and update is ready for review and removed 2 weeks inactive An issue that has not been updated by an assignee for two weeks labels May 21, 2022
@github-actions github-actions bot added 2 weeks inactive An issue that has not been updated by an assignee for two weeks and removed Status: Updated No blockers and update is ready for review labels Jun 3, 2022
@github-actions

This comment was marked as resolved.

Sign in to view
@github-actions

This comment was marked as resolved.

Sign in to view
@SAUMILDHANKAR

This comment was marked as outdated.

Sign in to view
@SAUMILDHANKAR SAUMILDHANKAR added Status: Updated No blockers and update is ready for review and removed 2 weeks inactive An issue that has not been updated by an assignee for two weeks labels Jun 11, 2022
@github-actions github-actions bot removed the Status: Updated No blockers and update is ready for review label Jun 24, 2022
@github-actions github-actions bot added To Update ! No update has been provided and removed Status: Updated No blockers and update is ready for review labels Apr 28, 2023
@SAUMILDHANKAR
Copy link
Member

SAUMILDHANKAR commented May 4, 2023
edited
Loading

Progress update:

  • For working with liquid code, I created a custom script for if there is liquid code with syntax, {{ xxx }}, in the comments of an html file, there should be a code scanning alert. I was able to generate the code scanning alert for an instance created in a test html file.
  • I am using this query in a yaml file to generate the code scanning alerts for this case.
  • Next, I will clean up my code so it is ready for demo before reaching out to leads for feedback. Planning to reach out by coming Sunday.
  • We can also discuss if other custom queries should be explored.

Blockers: No blockers.
Availability: 5 hours per week.
ETA: 5/10/23

@SAUMILDHANKAR SAUMILDHANKAR added Status: Updated No blockers and update is ready for review and removed To Update ! No update has been provided labels May 4, 2023
@github-actions github-actions bot removed the Status: Updated No blockers and update is ready for review label May 12, 2023
@github-actions

This comment was marked as resolved.

Sign in to view
@github-actions github-actions bot added the To Update ! No update has been provided label May 12, 2023
@SAUMILDHANKAR
Copy link
Member

Progress update:

  • I have cleaned up my documentation and am ready for demo to the leads.

Blockers: No blockers.
Availability: 5 hours per week.
ETA: 5/25/23

@jdingeman Hi Justin, I would like to demo my research on this issue before making a pull request. Please recommend a suitable time to connect. My schedule is flexible, and I can make it around team meeting slots or any other time as well. Will leave a note on slack as well. Thank you.

@SAUMILDHANKAR SAUMILDHANKAR added Status: Updated No blockers and update is ready for review and removed To Update ! No update has been provided labels May 18, 2023
@github-actions github-actions bot added To Update ! No update has been provided and removed Status: Updated No blockers and update is ready for review labels May 26, 2023
@github-actions

This comment was marked as resolved.

Sign in to view
@github-actions github-actions bot added 2 weeks inactive An issue that has not been updated by an assignee for two weeks and removed To Update ! No update has been provided labels Jun 2, 2023
@github-actions

This comment was marked as resolved.

Sign in to view
@github-actions

This comment was marked as resolved.

Sign in to view
@SAUMILDHANKAR
Copy link
Member

SAUMILDHANKAR commented Jun 15, 2023
edited
Loading

Progress update:

  • Following up with dev team if demo might be preferred before making the pull request.

Blockers: No blockers.
Availability: 5 hours per week.
ETA: 6/20/23

@SAUMILDHANKAR SAUMILDHANKAR added Status: Updated No blockers and update is ready for review and removed 2 weeks inactive An issue that has not been updated by an assignee for two weeks labels Jun 15, 2023
@github-actions github-actions bot removed the Status: Updated No blockers and update is ready for review label Jun 23, 2023
@SAUMILDHANKAR SAUMILDHANKAR mentioned this issue Jun 27, 2023
Merged
@t-will-gillis
Copy link
Member

Hi @SAUMILDHANKAR thanks so much for your extensive work on this issue. There is a lot of info here to digest and I apologize if I am asking questions that you have already answered, but just to confirm- the current implementation will scan all of the js files in the website repo and generate in this case the 57 notifications that we could address one by one. Then it is also scanning future PRs, correct? You indicate that it will block merging for critical or high security issues- for the others I assume it would flag the issues so they could be addressed before merging?

Side discussion: As a group, do we need to decide which “Protection rules” to use, i.e. what “Security” level and “Errors, Warnings, or Any”- or for now do we go with the defaults?

Lastly, the 3 linked comments I believe refer to custom queries you wrote for scanning yaml and liquid code. Would these scans run at the same time as scans for the js files?

Thank you again- this is going to be very useful when it is up and running

@roslynwythe roslynwythe mentioned this issue Aug 3, 2023
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SAUMILDHANKAR SAUMILDHANKAR

Labels
Complexity: Large Feature: Board/GitHub Maintenance Project board maintenance that we have to do repeatedly role: back end/devOps Tasks for back-end developers size: 2pt Can be done in 7-12 hours
Projects
P: HfLA Website: Project Board
Archived in project
Milestone
02. Security
Development

Successfully merging a pull request may close this issue.

codeql-implementation SAUMILDHANKAR/website
9 participants
@SAUMILDHANKAR @JessicaLucindaCheng @ExperimentsInHonesty @t-will-gillis @macho-catt @blulady @jdingeman @Sparky-code @bishrfaisal