-
Notifications
You must be signed in to change notification settings - Fork 576
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding Security Workflows to GitHub Actions (1/2): codeql workflow #506
Conversation
@AzfaarQureshi please update with base branch. This looks ready to merge. |
87bf6ea
to
3398ea7
Compare
@MrAlias rebased! (copying over question from the go-core PR) just a quick question, do you want codeql to run on every PR as well or just once daily via the cron job? I just realized that the description is outdated from back when I had the PR trigger as well but I removed it cause I thought it would be too frequent. What are your thoughts? |
For those following this, I agreed that it was too frequent and the once a night is good. |
Motivation
Follow up to issue Follow up to issue open-telemetry/oteps#144
CodeQL is GitHub's static analysis engine which scans repos for security vulnerabilities. As the project grows and we near GA it might be useful to have a workflow which checks for security vulnerabilities with every PR so we can ensure every incremental change is following best development practices. Also passing basic security checks will also make sure that there aren't any glaring issues for our users.
Changes
security
tab of this repo.Workflow Triggers
cc- @alolita