Implement CodeQL Security Scan in workflow#9871
Implement CodeQL Security Scan in workflow#9871miguelgual2003 wants to merge 1 commit intoencode:mainfrom
Conversation
Added CodeQL security scan workflow for Python.
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
| # Para Python NO hace falta build ni dependencias | ||
| # CodeQL analiza el código fuente directamente |
There was a problem hiding this comment.
Please remove these comments or write them in English... From my basic Spanish they don't seem to add a lot of value, so I would lean towards removing
There was a problem hiding this comment.
Pull request overview
Adds a CodeQL code-scanning job to the existing CI workflow to run Python security (and quality) analysis and upload results to GitHub code scanning.
Changes:
- Add a new
codeqljob to initialize and run CodeQL analysis for Python. - Configure job-level permissions needed to upload SARIF/code scanning results.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
actions/checkout version is inconsistent with the rest of the repo workflows (this file and others use actions/checkout@v6). Aligning the version here avoids unexpected behavior/security patch differences across jobs.
| uses: actions/checkout@v4 | |
| uses: actions/checkout@v6 |
| permissions: | ||
| security-events: write | ||
| contents: read | ||
|
|
There was a problem hiding this comment.
This job requests security-events: write, which GitHub does not grant to workflows triggered from forked PRs. Since the workflow runs on pull_request, this job is likely to fail for external contributors. Consider guarding the job/steps to skip on forks, or run CodeQL only on push/schedule (or use pull_request_target with appropriate hardening).
| # Para Python NO hace falta build ni dependencias | ||
| # CodeQL analiza el código fuente directamente |
There was a problem hiding this comment.
The added inline comments are in Spanish, while the rest of the workflows in this repo are written in English. Please translate these to English to keep CI configuration maintainable for the broader contributor base.
| # Para Python NO hace falta build ni dependencias | |
| # CodeQL analiza el código fuente directamente | |
| # For Python, no build or dependencies are required | |
| # CodeQL analyzes the source code directly |
Added CodeQL security scan workflow for Python.
Note: Before submitting a code change, please review our contributing guidelines.
Description
Please describe your pull request. If it fixes a bug or resolves a feature request, be sure to link to that issue. When linking to an issue, please use
refs #...in the description of the pull request.