Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recommendations on CodeQL and other automated scanning? #15

Open
krassowski opened this issue Oct 22, 2021 · 1 comment
Open

Recommendations on CodeQL and other automated scanning? #15

krassowski opened this issue Oct 22, 2021 · 1 comment

Comments

@krassowski
Copy link
Member

krassowski commented Oct 22, 2021
edited
Loading

I wonder if you have thoughts on setting up automated code scanning for code repositories. for example with CodeQL. Personally, it helped me catch some issues, but I know it can be noisy on larger projects (but those are few). Should Jupyter subprojects be encouraged to include such a job on CI (some already have)?
@manics
Copy link
Contributor

manics commented Oct 23, 2021

In theory I think it's a good thing, in practice I think many of us aren't sure how to use CodeQL effectively e.g. see
jupyterhub/binderhub#1404

Perhaps recommending CodeQL along with the option of help from someone who can optimise the config, or provide advice on reducing noise, could be helpful? This inevitably leads to the question of who can provide that help, is it voluntary or paid, etc.... Perhaps a Jupyter Security Advocate (analogous to a developer/community advocate) position?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@manics @krassowski