Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CodeQL Security Scan #770

Merged
merged 5 commits into from
May 21, 2021
Merged

Add CodeQL Security Scan #770

merged 5 commits into from
May 21, 2021

Conversation

KKelvinLo
Copy link
Member

Motivation

This PR is a follow-up to issue open-telemetry/oteps#144

CodeQL is GitHub's static analysis engine which scans repos for security vulnerabilities. As the project grows and we near GA it might be useful to have a workflow which checks for security vulnerabilities to ensure that every incremental change is following best development practices. Also passing basic security checks will also make sure that there aren't any glaring issues for our users.

Changes

  • This PR adds CodeQL security checks to the repository
  • After every run the workflow will upload the results to GitHub.

Workflow Triggers

  • daily cron job at 1:30 am
  • workflow_dispatch (in the case that the maintainers want to trigger a manual security check)
  • CHANGELOG.md updated for non-trivial changes
  • [] Unit tests have been added
  • [] Changes in public API reviewed

@KKelvinLo KKelvinLo changed the title Add codeql Add CodeQL Security Scan May 20, 2021
@KKelvinLo KKelvinLo marked this pull request as ready for review May 20, 2021 01:07
@KKelvinLo KKelvinLo requested a review from a team May 20, 2021 01:07
@codecov
Copy link

codecov bot commented May 20, 2021
edited
Loading

Codecov Report

Merging #770 (49b9d18) into main (af9cd15) will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##             main     #770   +/-   ##
=======================================
  Coverage   95.95%   95.95%           
=======================================
  Files         176      176           
  Lines        7172     7172           
=======================================
  Hits         6882     6882           
  Misses        290      290

@KKelvinLo
update changelog
e07604a 
rename workflow

update changelog

update format

update format
@maxgolov maxgolov linked an issue May 20, 2021 that may be closed by this pull request
Set up CodeQL GitHub action for OpenTelemetry C++ SDK repo #652
Closed
@maxgolov
Copy link
Contributor

@KKelvinLo - could you please take a look why the check hasn't been showing in the list of successful checks? You may want to adjust the template a bit for the results to show under the Security tab, maybe naming the step as CodeQL.

Template that's been missing the setup parts:
https://github.com/open-telemetry/opentelemetry-cpp/pull/654/files

@maxgolov
Copy link
Contributor

Maybe it's all good already. Perhaps it'd show the results after merge?... 🤷

lalitb
lalitb reviewed May 20, 2021
View reviewed changes
Copy link
Member

@lalitb lalitb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for adding this. Will the CodeQL workflow fails if there are any security vulnerabilities, or it just uploads the result somewhere and we need to periodically keep checking it?

maxgolov
maxgolov reviewed May 20, 2021
View reviewed changes
.github/workflows/codeql-analysis.yml Outdated
@@ -0,0 +1,36 @@
name: "CodeQL Code Scan"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
name: "CodeQL Code Scan"
name: "CodeQL"

That should show the code scan result under Security tab?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep it if is enabled in the security tab, the action will post to the alerts

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to click on that in the Security tab or do we need to rename it to CodeQL ?

@KKelvinLo
Copy link
Member Author

Thank you for adding this. Will the CodeQL workflow fails if there are any security vulnerabilities, or it just uploads the result somewhere and we need to periodically keep checking it?

This workflow will post the results under the security tab, the workflow will pass

@KKelvinLo
Copy link
Member Author

@KKelvinLo - could you please take a look why the check hasn't been showing in the list of successful checks? You may want to adjust the template a bit for the results to show under the Security tab, maybe naming the step as CodeQL.

Template that's been missing the setup parts:
https://github.com/open-telemetry/opentelemetry-cpp/pull/654/files

It should be good now - changed it from a cron schedule to on pull request and on push

@maxgolov
Copy link
Contributor

Code scanning results / CodeQL Timed out after 109m

It got crashed on recursive submodules?! 😀

I guess we need to exclude third_party directory.

@alolita
Copy link
Member

alolita commented May 20, 2021

😀 @KKelvinLo can you please exclude the third-party directories. Let's make sure the workflow is robust. Thanks!

Thanks @maxgolov @ThomsonTan @lalitb for reviewing and merging!

@KKelvinLo
Copy link
Member Author

KKelvinLo commented May 20, 2021
edited
Loading

Code scanning results / CodeQL Timed out after 109m

It got crashed on recursive submodules?! 😀

I guess we need to exclude third_party directory.

After digging through GitHub Actions documentation it doesn't look like there's an explicit exclude directory option, so I added a bash command to remove the third_party directory after checking out the code.

@lalitb
Copy link
Member

lalitb commented May 21, 2021

Code scanning results / CodeQL Timed out after 109m

It got crashed on recursive submodules?! 😀
I guess we need to exclude third_party directory.

After digging through GitHub Actions documentation it doesn't look like there's an explicit exclude directory option, so I added a bash command to remove the third_party directory after checking out the code.

Thanks. Instead of removing the third-party folder later, we can also checkout the repo without submodules :). For now, can you rebase the branch with main, as that will allow us to merge the PR

@KKelvinLo
Copy link
Member Author

Rebased!

@lalitb lalitb merged commit b6bf10f into open-telemetry:main May 21, 2021
@ThomsonTan ThomsonTan mentioned this pull request May 25, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ThomsonTan ThomsonTan ThomsonTan approved these changes

@lalitb lalitb lalitb approved these changes

@maxgolov maxgolov maxgolov approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Set up CodeQL GitHub action for OpenTelemetry C++ SDK repo
5 participants
@KKelvinLo @maxgolov @alolita @lalitb @ThomsonTan