Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: enable security code scanner #8593

Merged
merged 9 commits into from
Feb 19, 2024
Merged

ci: enable security code scanner #8593

merged 9 commits into from
Feb 19, 2024

Conversation

witmicko
Copy link
Contributor

@witmicko witmicko commented Feb 15, 2024

Required Action

Prior to merging this pull request, please ensure the following has been completed:

  • The lines specifying branches correctly specifies this repository's default branch (usually main).
  • Any paths you would like to ignore have been added to the paths_ignored configuration option (see setup)
  • Any existing CodeQL configuration has been disabled.

What is the Security Code Scanner?

This pull request enables the MetaMask Security Code Scanner GitHub Action. This action runs on each pull request, and will flag potential vulnerabilities as a review comment. It will also scan this repository's default branch, and log any findings in this repository's Code Scanning Alerts Tab.

Screenshot 2024-02-12 at 9 19 05 PM

The action itself runs various static analysis engines behind the scenes. Currently, it is only running GitHub's CodeQL engine. For this reason, we recommend disabling any existing CodeQL configuration your repository may have.

How do I interact with the tool?

Every finding raised by the Security Code Scanner will present context behind the potential vulnerability identified, and allow the developer to fix, or dismiss it.

The finding will automatically be dismissed by pushing a commit that fixes the identified issue, or by manually dismissing the alert using the button in GitHub's UI. If dismissing an alert manually, please add any additional context surrounding the reason for dismissal, as this informs our decision to disable, or improve any poor performing rules.

Screenshot 2024-02-12 at 8 41 46 PM

For more configuration options, please review the tool's README.
For any additional questions, please reach out to @mm-application-security slack.

Sorry, something went wrong.

@witmicko witmicko added DO-NOT-MERGE Pull requests that should not be merged team-mobile-platform Mobile Platform team labels Feb 15, 2024
@witmicko witmicko requested a review from a team as a code owner February 15, 2024 15:42
Copy link
Contributor

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

@metamaskbot metamaskbot added the INVALID-PR-TEMPLATE PR's body doesn't match template label Feb 15, 2024
@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@witmicko witmicko changed the title enable securito code scanner ci: enable security code scanner Feb 15, 2024
@codecov-commenter
Copy link

codecov-commenter commented Feb 15, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (912d6c8) 41.06% compared to head (5fb6528) 41.07%.
Report is 4 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #8593   +/-   ##
=======================================
  Coverage   41.06%   41.07%           
=======================================
  Files        1246     1246           
  Lines       30320    30320           
  Branches     2962     2962           
=======================================
+ Hits        12452    12453    +1     
+ Misses      17125    17123    -2     
- Partials      743      744    +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@tommasini
Copy link
Contributor

Heyyy, Awesome work! I see the do not merge library, but the changes seem good to me! It is missing something?

@witmicko
Copy link
Contributor Author

Heyyy, Awesome work! I see the do not merge library, but the changes seem good to me! It is missing something?

thank you @tommasini, we put "do not merge" because we want to hold off a little with merging it but would appreciate PR early review and approval so it could be merged quickly when all is ready

@witmicko witmicko removed the DO-NOT-MERGE Pull requests that should not be merged label Feb 15, 2024
Copy link
Contributor

@tommasini tommasini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

@witmicko witmicko merged commit 14d25c1 into main Feb 19, 2024
28 checks passed
@witmicko witmicko deleted the mm-security-code-scanner branch February 19, 2024 14:26
@github-actions github-actions bot locked and limited conversation to collaborators Feb 19, 2024
@metamaskbot metamaskbot added the release-7.18.0 Issue or pull request that will be included in release 7.18.0 label Feb 19, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
INVALID-PR-TEMPLATE PR's body doesn't match template release-7.18.0 Issue or pull request that will be included in release 7.18.0 team-mobile-platform Mobile Platform team
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

None yet

4 participants