feathr icon indicating copy to clipboard operation
feathr copied to clipboard

Published 20 hours ago verified publisher icon feathr-ai

Adding DevSkim linter to Github actions

Open jainr opened this issue 3 years ago • 2 comments
trafficstars

Description

Adding DevSkim Plugin to Github Action

DevSkim is security linter that highlights common security issues in source code.

The DevSkim GitHub Action outputs a sarif file compatible with GitHub's Security Issues view.

It is strongly suggested to be run for OSS projects.

How was this PR tested?

Tested in my fork, here is a successful run.

Does this PR introduce any user-facing changes?

  • [x] No. You can skip the rest of this section.
  • [ ] Yes. Make sure to clarify your proposed changes.

jainr avatar Sep 09 '22 22:09 jainr

Can you please take a look at the failures as well? Either fix them or exclude them if it's false alarm. Then we can have a baseline with DevSkim pass on main branch after this is merged.

blrchen avatar Sep 10 '22 02:09 blrchen

@jainr thanks for the PR, can you also help fix some of the alerts that this tool is giving? Some of them might be false alarms and some of them might need to be fixed.

xiaoyongzhu avatar Sep 13 '22 07:09 xiaoyongzhu

The current two alerts come from documentation, and it is about https URLs. The first one is curl -s https://whatismyip.akamai.com/ If I change the URL to https, it won't work. I don't want to skip the folders completely as it might skip some legit issues.

The second URL it complains about is export RBAC_REGISTRY_URL="http://127.0.0.1:18000/api/v1". It is a localhost URL and in order for us to switch over to https we would have to use TLS certificate.

It's safe to ignore these two alerts, but we should not skip the folders for any future issues.

jainr avatar Oct 08 '22 05:10 jainr

LGTM, but if it's merged does it means that we will always get failure in DevSkim and have to check if there are a third error?

Yuqing-cat avatar Oct 11 '22 13:10 Yuqing-cat

LGTM, but if it's merged does it means that we will always get failure in DevSkim and have to check if there are a third error?

Devskim does not fail, at least from GH action perspective and it does not print the reason in the execution logs either, since it is sensitive information. It provides the findings under Security tab so yes we have to monitor it from time to time.

image

Here is how it looks under GH action. https://github.com/jainr/feathr/actions/workflows/devskim-security-linter.yml

jainr avatar Oct 11 '22 14:10 jainr