CodeQL SAST scanning for pip repository #12584
Labels
Comments
wwuck
added
S: needs triage
|
A number of those alerts seem to be for vendors dependencies. To be useful it would need to be possible to tell the tool to skip the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What's the problem this feature will solve?
This is following on from #12564 to discuss whether pip maintainers would be interested in enabling CodeQL SAST scanning on the pip repository?
This would enable scanning for code security vulnerabilities during each Pull Request to reduce the risk of any vulnerabilities entering the pip codebase.
Describe the solution you'd like
Enabling CodeQL scanning in the default setup is relatively painless and involves just clicking a few buttons in the pip project settings security analysis page.
Alternatively, I would be happy to provide a PR for a CodeQL workflow file similar to what is used in the pypa/twine and pypa/packaging repositories.
After the first scan is completed, a baseline can be created by dismissing any alerts that don't need to be fixed (eg. alerts for code in tests).
I ran a quick test by enabling CodeQL on my fork of pip repository and it came back with these results (screenshot because it appears that my fork codeql scan results are not publicly accessible outside of the github project's maintainers):
Alternative Solutions
An alternative could be using SonarCloud but as that is a third-party tool, it would be simpler to stick with CodeQL integrated into GitHub.
Additional context
N/A
Code of Conduct
The text was updated successfully, but these errors were encountered: