dd-trace-js
dd-trace-js copied to clipboard
DataDog
Create codeql.yml
What does this PR do?
adds codeql security scanning to improve static analysis
example of the outputs are available at https://github.com/stephengroat/dd-trace-js/security/code-scanning
5 of the initial security issues are easily dismissed (only in test files)
2 of the 4 open seem to be in versioning scripts, probably not critical https://github.com/stephengroat/dd-trace-js/security/code-scanning/4?query=ref%3Arefs%2Fheads%2Fmaster https://github.com/stephengroat/dd-trace-js/security/code-scanning/3?query=ref%3Arefs%2Fheads%2Fmaster
I think https://github.com/stephengroat/dd-trace-js/security/code-scanning/6?query=ref%3Arefs%2Fheads%2Fmaster is also a testing server, but I'm not 100% sure
Seems like https://github.com/stephengroat/dd-trace-js/security/code-scanning/9?query=ref%3Arefs%2Fheads%2Fmaster is more motivated for server-side applications rather than client-side libraries
Motivation
increase static analysis coverage across
Plugin Checklist
- [ ] Unit tests.
- [ ] TypeScript definitions.
- [ ] TypeScript tests.
- [ ] API documentation.
- [ ] CircleCI jobs/workflows.
- [ ] Plugin is exported.
Additional Notes
Can this be closed now that another CodeQL config has been merged on master?
I'm going to close this out as CodeQL has landed on master. Thanks for the contribution none the less!
