Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: add codeQL to CI #23949

Merged
merged 1 commit into from
May 5, 2023
Merged

Conversation

dpgaspar
Copy link
Member

@dpgaspar dpgaspar commented May 5, 2023

SUMMARY

Add codeQL to our CI workflow.

CodeQL is the code analysis engine developed by GitHub to automate security checks. You can analyze your code using CodeQL and display the results as code scanning alerts.

Main docs: https://docs.github.com/en/code-security

Will perform python code scanning when:

  • A PR is merged to master
  • A PR is opened -> Results for the PR are available to everyone as annotations
  • Daily at 04:00am -> Results are only available to repo writers

For Pull requests:
If you have read permission for a repository, you can see annotations on pull requests. With write permission, you can see detailed information and resolve code scanning alerts for that repository.

Heres an example from a test PR:

Screenshot 2023-05-05 at 14 23 34

List of common weakness detection: https://codeql.github.com/codeql-query-help/python-cwe/

This will work as a trial, if may be proven unproductive to have codeQL enabled for every PR. So disabling for PR's or further tweaking will probably be needed.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

Copy link
Member

@rusackas rusackas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nonblocking question about gradually widening the scope of the tooling, but I love this!

push:
branches: [ "master" ]
paths:
- 'superset/**'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to widen this to the whole codebase? maybe in a subsequent PR, once we've gotten the first part under control?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it would, javascript and typescript are supported. let's give it a ride first on the backend

@dpgaspar dpgaspar merged commit 2a63b39 into apache:master May 5, 2023
@dpgaspar dpgaspar deleted the chore/add-codeql-ci branch May 5, 2023 18:39
@mistercrunch mistercrunch added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 3.0.0 labels Mar 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/M 🚢 3.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants