Add missing SCA / SAST scans to CI #196
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
ChrisBAshton
force-pushed
the
ChrisBAshton-patch-1
branch
2 times, most recently
from
fa0ab2a to
993ea59
Compare
ChrisBAshton
changed the title
ChrisBAshton
force-pushed
the
ChrisBAshton-patch-1
branch
from
993ea59 to
ffbfaeb
Compare
ChrisBAshton
added a commit
that referenced
this pull request
May 29, 2024
The build script has been replaced by https://github.com/alphagov/govuk-browser-extension/blob/9a5ae779e126b09fd303147d91c616c0fa527462/build.sh#L1 And the jasmine test script has been replaced by NPM: https://github.com/alphagov/govuk-browser-extension/blob/7913847c4aa8b366826ada973264798cdb113ed2/.github/workflows/ci.yml#L36-L37 The presence of the Rakefile is causing issues for our CodeQL integration in #196, which is detecting Ruby but then failing to run the scan. It is hoped that removing the Rakefile will resolve this.
Merged
ChrisBAshton
force-pushed
the
ChrisBAshton-patch-1
branch
2 times, most recently
from
17fa475 to
424ff00
Compare
This will resolve the alert at https://gds.slack.com/archives/C02L13S214K/p1714381348726429. NB, this took a bit of effort! We were [seeing](https://github.com/alphagov/govuk-browser-extension/actions/runs/9283183060/job/25542847886?pr=196) an error with the default code analysis: ``` Extracting javascript Extracting ruby Finalizing javascript Finalizing ruby /opt/hostedtoolcache/CodeQL/2.17.1/x64/codeql/codeql database finalize --finalize-dataset --threads=4 --ram=14567 /home/runner/work/_temp/codeql_databases/ruby CodeQL detected code written in JavaScript/TypeScript, but not any written in Ruby. Confirm that there is some source code for Ruby in the project. For more information, review our troubleshooting guide at https://gh.io/troubleshooting-code-scanning/no-source-code-seen-during-build . Error: Encountered a fatal error while running "/opt/hostedtoolcache/CodeQL/2.17.1/x64/codeql/codeql database finalize --finalize-dataset --threads=4 --ram=14567 /home/runner/work/_temp/codeql_databases/ruby". Exit code was 32 and last log line was: CodeQL detected code written in JavaScript/TypeScript, but not any written in Ruby. Confirm that there is some source code for Ruby in the project. For more information, review our troubleshooting guide at https://gh.io/troubleshooting-code-scanning/no-source-code-seen-during-build . See the logs for more details. ``` We explored configuring the [reusable workflow](https://github.com/alphagov/govuk-infrastructure/blob/main/.github/workflows/codeql-analysis.yml) to take a `languages` input, but there [doesn't seem to be a way of defaulting to 'undefined'](actions/runner#924) if the parameter isn't passed, meaning we'd have to set a default of, say, 'ruby'. This would break the workflow for repos that may already be working with both Ruby and JS, where they'd be forced to pass the `languages` parameter now. We also explored setting up CodeQL directly within the GitHub UI and explicitly opting out of Ruby to have JS only, but the reusable workflow still does a language detection and runs both JS and Ruby scans (the "JS only" scan appears as a separate job called "CodeQL / Analyze (javascript-typescript) (dynamic)"):  Eventually, on closer inspection, we found that only ruby in this project was a disused Rakefile, so we removed it in #198. Now the CodeQL scan passes.
ChrisBAshton
force-pushed
the
ChrisBAshton-patch-1
branch
from
424ff00 to
c7667e9
Compare
lauraghiorghisor-tw
approved these changes
May 29, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This will resolve the alert at https://gds.slack.com/archives/C02L13S214K/p1714381348726429.
NB, this took a bit of effort! We were seeing an error with the default code analysis:
We explored configuring the reusable workflow to take a
languagesinput, but there doesn't seem to be a way of defaulting to 'undefined' if the parameter isn't passed, meaning we'd have to set a default of, say, 'ruby'. This would break the workflow for repos that may already be working with both Ruby and JS, where they'd be forced to pass thelanguagesparameter now.We also explored setting up CodeQL directly within the GitHub UI and explicitly opting out of Ruby to have JS only, but the reusable workflow still does a language detection and runs both JS and Ruby scans (the "JS only" scan appears as a separate job called "CodeQL / Analyze (javascript-typescript) (dynamic)"):
Eventually, on closer inspection, we found that the only ruby in this project was a disused Rakefile, so we removed it in #198. Now the CodeQL scan passes.