Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ER: Review protection rules for CodeQL PR check failure #5033

Closed
2 of 5 tasks
SAUMILDHANKAR opened this issue Jul 19, 2023 · 3 comments
Closed
2 of 5 tasks

ER: Review protection rules for CodeQL PR check failure #5033

SAUMILDHANKAR opened this issue Jul 19, 2023 · 3 comments
Labels
Complexity: Medium ER Emergent Request feature: research ready for dev lead Issues that tech leads or merge team members need to follow up on role: back end/devOps Tasks for back-end developers size: 0.25pt Can be done in 0.5 to 1.5 hours
Milestone
08. Team workflow

Comments

@SAUMILDHANKAR
Copy link
Member

SAUMILDHANKAR commented Jul 19, 2023
edited
Loading

Emergent Requirement - Problem

Currently, the protection rules for CodeQL PR check failure are set to default levels. So, the PR check fails if there is a security alert of level high or critical or if there is an error. We would like to review these and decide if the protection rules should be made stricter, more relaxed or fine as it is.

Issue you discovered this emergent requirement in

Date discovered

6/26/2023

Did you have to do something temporarily

  • YES
  • NO

Who was involved

@roslynwythe @t-will-gillis @SAUMILDHANKAR

What happens if this is not addressed

CodeQL PR checks would continue running at default levels. PR checks won't pass if alert belongs to high/critical/error.

Resources

For more information about GitHub code scanning, check out the documentation.
Code Scan Results
List of all CodeQL JS queries
Protection rules CodeQL PR check

Recommended Action Items

  • Make a new issue
  • Discuss with team
  • Let a Team Lead know

Potential solutions [draft]

First approach could be to go through the alert levels displayed currently for the website repo and based on that decide if PR check should fail for any similar alert level and update the rules accordingly.

More detailed analysis might involve going through the alert levels of all the JS queries in the following folder: https://github.com/github/codeql/tree/main/javascript/ql/src and then based on HfLA website repo's codebase decide the level of protection rules that would align with the team preference.
@SAUMILDHANKAR SAUMILDHANKAR added Feature Missing This label means that the issue needs to be linked to a precise feature label. role missing size: 0.25pt Can be done in 0.5 to 1.5 hours labels Jul 19, 2023
@github-actions

This comment was marked as outdated.

Sign in to view
@SAUMILDHANKAR SAUMILDHANKAR added role: back end/devOps Tasks for back-end developers Complexity: Medium feature: research and removed role missing Feature Missing This label means that the issue needs to be linked to a precise feature label. labels Jul 20, 2023
@SAUMILDHANKAR
Copy link
Member Author

@roslynwythe just wanted to let you know that this ER is ready for PM approval. Thank you.

@Josiah-O Josiah-O added this to the 08. Team workflow milestone Jul 22, 2023
@SAUMILDHANKAR SAUMILDHANKAR added the ready for dev lead Issues that tech leads or merge team members need to follow up on label Jul 26, 2023
@kimberlytanyh kimberlytanyh added the ER Emergent Request label Sep 10, 2023
@roslynwythe
Copy link
Member

Let's stick with the current settings for now.

@roslynwythe roslynwythe closed this as not planned Won't fix, can't repro, duplicate, stale Oct 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Complexity: Medium ER Emergent Request feature: research ready for dev lead Issues that tech leads or merge team members need to follow up on role: back end/devOps Tasks for back-end developers size: 0.25pt Can be done in 0.5 to 1.5 hours
Projects
P: HfLA Website: Project Board
Archived in project
Milestone
08. Team workflow
Development

No branches or pull requests
4 participants
@SAUMILDHANKAR @roslynwythe @kimberlytanyh @Josiah-O