🌱 Remove JavaScript CodeQL linting #1354
Conversation
Signed-off-by: Adam Harvey <33203301+adamdmharvey@users.noreply.github.com>
|
Here's how it now looks on my fork: 
|
adamdmharvey
changed the title
I believe the JS analysis also covers things like GitHub Actions: It's caught things for us before on ossf/scorecard |
Thanks for the feedback! Will check into that. For this repo at least, the Action notes:
I checked an action on |
|
Looks like the difference may be this repo isn't doing: # Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # v1
with:
languages: ${{ matrix.language }}
+ queries: +security-extendedMaybe the alternative is to turn that ON here too? |
|
At least based on this doc "Expression injection in Actions" is listed for both default and |
|
Will give this a close, based on the point re: validating extracted/interpreted JS through embeddings in actions. Good feedback thx! |
This PR eliminates the JavaScript CodeQL scanning in the Actions workflows.
Currently, each PR scans both Go and JavaScript:
However, the only JavaScript in the repo is a single file. This file was added via #23 when the CodeQL workflow was breaking; but it was breaking because there was NO CodeQL scanning language set at the time. (so the "fix" was to go from none, to JavaScript, adding the single line JavaScript file which just spits out to console the word "codeql" 😁 ) But since Go was added, JavaScript should no longer be necessary.
This will eliminate about 1.5 minutes of CodeQL workflow scanning during each actions run.
No release should be necessary.