Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
bluwy
left a comment
bluwy
left a comment
There was a problem hiding this comment.
+1 on adding this, however was CodeQL considered before using a third-party scanner? It's documented to support scanning workflows (though it's still in public preview but I imagine it'll get better from there)
Oh, I didn't know that CodeQL supports scanning workflow files. Let me check what it does. |
|
It seems CodeQL does work, but looking at the results, zizmor has more rules. |
|
Comparing codeql rules and zizmor rules, it seems both are on the right path with each their own strengths. I think I'd personally lean on codeql's as a start since it's maintained by github itself but I also wonder what others think about this. |
|
how expensive are the other codeql scans and are they worth it too or would this be limited to workflow files. I am a bit concerned about the "copilot will suggest fixes for findings" part or it. In general i would prefer using a tool coming from github. a third party scanner tool would have to be pinned and updates would have to be closely checked to avoid a similar issue where a bad update to the scanner extracts secrets. |
|
I think it's better to use CodeQL |
|
I vote to align with Rolldown, but I agree with the sentiment that using the option maintained by GitHub would be the best. @sapphi-red maybe you could gather if there was a blocker to using CodeQL in the Rolldown repo and if there is interest in swapping to it if not? |
|
I checked Rolldown side and they didn't have any reason not to use CodeQL. Since CodeQL is working fine now, I'll close this PR for now. |
5 participants
Description
zizmor is a static analysis tool for Actions.
After this PR is merged, we can see the results at https://github.com/vitejs/vite/security/code-scanning.
The workflow file is the same with rolldown/rolldown#3861.