Sounds good to me, thanks Aditya
Jacques
Le 03/10/2020 à 07:41, Aditya Sharma a écrit :
That makes sense Jacques. It is critical.
I tried with one of my repositories and found that Code scanning alerts
under Security are only visible to people with write access i.e.
Committers.
Citation from article Managing code scanning alerts for your repository[1]
*"Anyone with read permission for a repository can see code scanning alerts
on pull requests. However, you need write permission to view a summary of
alerts for repository on the Security tab."*
Though I will spend some more time checking its behavior with other
scenarios like PR.
1.
https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository#viewing-an-alert
Thanks and Regards,
Aditya Sharma
On Fri, Oct 2, 2020 at 10:19 PM Jacques Le Roux <
[email protected]> wrote:
Hi Aditya,
We (I at least) receive already security alerts for our website code. It
notably leaded to https://gitbox.apache.org/repos/asf?p=ofbiz-site.git
As long are we are able to restrict the alerts sending to committers, it's
OK with me. I'd not like other people to receive zero days information...
Thanks
Jacques
Le 02/10/2020 à 15:06, Aditya Sharma a écrit :
Hi team,
I think we can enable the code scanning security feature for all the
OFBiz
repositories available with GitHub that helps identifying security
vulnerabilities using CodeQL.
https://github.com/apache/ofbiz-framework/security/code-scanning
https://securitylab.github.com/tools/codeql
Citation from
https://www.infoworld.com/article/3453742/github-makes-codeql-free-for-research-and-open-source.html
:
*"CodeQL, a semantic code analysis engine and query tool for finding
security vulnerabilities across a codebase, has been made available for
free by GitHub for anyone to use in research or to analyze open source
code."*
If no one is against it, I will move ahead with it.
Thanks and Regards,
Aditya Sharma
