Hi Aditya, We (I at least) receive already security alerts for our website code. It notably leaded to https://gitbox.apache.org/repos/asf?p=ofbiz-site.git
As long are we are able to restrict the alerts sending to committers, it's OK with me. I'd not like other people to receive zero days information... Thanks Jacques Le 02/10/2020 à 15:06, Aditya Sharma a écrit :
Hi team, I think we can enable the code scanning security feature for all the OFBiz repositories available with GitHub that helps identifying security vulnerabilities using CodeQL. https://github.com/apache/ofbiz-framework/security/code-scanning https://securitylab.github.com/tools/codeql Citation from https://www.infoworld.com/article/3453742/github-makes-codeql-free-for-research-and-open-source.html : *"CodeQL, a semantic code analysis engine and query tool for finding security vulnerabilities across a codebase, has been made available for free by GitHub for anyone to use in research or to analyze open source code."* If no one is against it, I will move ahead with it. Thanks and Regards, Aditya Sharma
