You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Since a few weeks, GitHub allows a default setup for code scanning (CodeQL). If this default is enabled and you add a configuration through StepSecurity it will fail. See the logs from the sequelize repo here, especially the last two lines which contain the following error;
Error: Code Scanning could not process the submitted SARIF file:
CodeQL analyses from advanced configurations cannot be processed when the default setup is enabled
StepSecurity should not recommend enabling CodeQL through the 'advanced' setup (through a yml file) when the 'default' is used.
The text was updated successfully, but these errors were encountered:
Thanks, @WikiRik! I will try to determine how to check whether the default setup is enabled. Would you happen to know if this info is part of earlier PRs (e.g., PR comments by CodeQL)? Or, how can one tell this based on GitHub API?
This might also need a change to Scorecard. I will check there as well.
That's the thing I am unsure about. Enabling the default setup does not change the codebase of the repo in any way, so there is no PR for that. I believe therefore it can only be enabled by people with write access (but I haven't checked which if any permissions are needed). You could see if CodeQL is run under the Actions tab, like https://github.com/sequelize/sequelize/actions/workflows/github-code-scanning/codeql
I haven't looked at the GitHub API yet, but that seems like the easiest way to detect it. It might also be something that is not yet available but will be added soon since the default setup is a relatively new feature.
Since a few weeks, GitHub allows a default setup for code scanning (CodeQL). If this default is enabled and you add a configuration through StepSecurity it will fail. See the logs from the sequelize repo here, especially the last two lines which contain the following error;
StepSecurity should not recommend enabling CodeQL through the 'advanced' setup (through a yml file) when the 'default' is used.
The text was updated successfully, but these errors were encountered: