Hi all, I wanted to gauge interest in adding CodeQL to our Github Actions to add automated vulnerability checks to our CI pipeline. Alexey Temnikov has already done a test run on a Tinkerpop fork which found an unsafe type conversion in gremlin-go as well as raising several warnings from code in both prism.js and jquery.js (both used for the site). The total execution time for job was 1h:50m (runs in parallel to the existing build-test workflow). The vast majority of this execution time (1h:42m) was spent building all of our C# code using CodeQL’s autobuilder. This runtime should be drastically improved by properly configuring a manual build for C#. With this build bottleneck alleviated, total execution time should be under 30 min.
I would suggest that if we proceed with enabling CodeQL, we initially configure it to ignore prism.js and jquery.js as those files in their current form will fail the scan. All warnings raised in those files should be discussed and a decision made whether it is worth pursuing any fixes. For anyone looking for more information, the Github docs<https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning> are a good resource as well as the CodeQL<https://codeql.github.com/> website. Thanks, Cole Greer