CI: Add CodeQL workflow for GitHub Actions security scanning#152
CI: Add CodeQL workflow for GitHub Actions security scanning#152alamb merged 1 commit intoapache:mainfrom
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
alamb
left a comment
alamb
left a comment
There was a problem hiding this comment.
Thanks @kevinjqliu -- this looks great. Let's give it a try!
|
@kevinjqliu do we need to do anything more to get the scan results in this repo? |
|
Specifically, https://github.com/apache/datafusion-site/security still shows that we need to setup security scans 🤔 
|
|
Actually, it is working now: https://github.com/apache/datafusion-site/security 
Now we just need to go sort out those alerts |
|
btw i think only those with write permissions (committer/pmc) can see the Security tab. This is my view for https://github.com/apache/datafusion-site/security But I can see results in the Iceberg repos. |
2 participants
This adds a CodeQL workflow to scan GitHub Actions workflow files for security issues such as script injection, use of untrusted input, and other misconfigurations.
Reference: https://github.blog/security/application-security/how-to-secure-your-github-actions-workflows-with-codeql/
Triggers:
mainThis is based on Apache Infra recommendation,
This PR was generated by https://gist.github.com/kevinjqliu/97d24733c7b75cd92b68bf8f5b247891