Skip to content

Add CodeQL workflow #1767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 27, 2023
Merged

Add CodeQL workflow #1767

merged 1 commit into from
Jun 27, 2023

Conversation

jorgectf
Copy link
Contributor

Hello from GitHub Security Lab!

Your repository is critical to the security of the Open Source Software (OSS) ecosystem and as part of our mission to make OSS safer, we are contributing a CodeQL configuration for code scanning to your repository. By enabling code scanning with CodeQL, you will be able to continuously analyze your code and surface potential vulnerabilities before they can even reach your codebase. In fact, you may have seen some alerts already appearing on this pull request!

We’ve tested the configuration manually before opening this pull request and adjusted it to the needs of your particular repository, but feel free to tweak it further! Check this page for detailed documentation.

Questions? Check out the FAQ below!

FAQ

Click here to expand the FAQ section

How often will the code scanning analysis run?

By default, code scanning will trigger a scan with the CodeQL engine on the following events:

  • On every pull request — to flag up potential security problems for you to investigate before merging a PR.
  • On every push to your default branch and other protected branches — this keeps the analysis results on your repository’s Security tab up to date.
  • Once a week at a fixed time — to make sure you benefit from the latest updated security analysis even when no code was committed or PRs were opened.

What will this cost?

Nothing! The CodeQL engine will run inside GitHub Actions, making use of your unlimited free compute minutes for public repositories.

What types of problems does CodeQL find?

By default, code scanning runs the default query suite.

How do I upgrade my CodeQL engine?

No need! New versions of the CodeQL analysis are constantly deployed on GitHub.com; your repository will automatically benefit from the most recently released version.

The analysis doesn’t seem to be working

If you get an error in GitHub Actions that indicates that CodeQL wasn’t able to analyze your code, please follow the instructions here to debug the analysis.

Which source code hosting platforms does code scanning support?

GitHub code scanning is deeply integrated within GitHub itself. If you’d like to scan source code that is hosted elsewhere, we suggest that you create a mirror of that code on GitHub.

@pivotal-cla
Copy link

@jorgectf Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jun 26, 2023
@pivotal-cla
Copy link

@jorgectf Thank you for signing the Contributor License Agreement!

@mikereiche mikereiche merged commit 0ee1f8a into spring-projects:main Jun 27, 2023
mikereiche pushed a commit that referenced this pull request Jun 29, 2023
@jorgectf @mikereiche
Add CodeQL workflow (#1767)
49b6d99
mikereiche pushed a commit that referenced this pull request Jun 29, 2023
@jorgectf @mikereiche
Add CodeQL workflow (#1767)
299b27f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jorgectf @pivotal-cla @spring-projects-issues @mikereiche