laurentsimon
laurentsimon
yes you're correct @spencerschrock I think we do catch it today. `sha` is secure if used the code is not run afterwards or if labels / env are applied prior...
> I'm not sure whether it's the right place to mention this issue with the checks analyzing PRs but since I've run into it mostly using the SAST check I...
> One option would be to figure out whether LGTM is listed among the apps that can be triggered on pull requests with https://docs.github.com/en/rest/reference/checks#get-a-check-suite and if it's there and it...
summary: 1. tool configured (codeQl) and runs as cron => give some point (we already do this ) 2. tool configured on each push => increase the score (we don't...
ah, right. Agreed.
re: windows runner. The go binary should run on Windows so I don't expect problems. But as @azeemshaikh38 said, most our tests run on ubuntu runner. I think we could...
@anuraag016 if GitHub runs the Action themselves, is there anything specific to your environment for the Action to detect it's being run by you and not the user? I ask...
Let's also keep these changes "private", ie we will make the changes for the integration and don't publicize them? The ability to select which checks to use is useful for...
follow-up question: would you be pushing the results back to our servers? The Action has an option `publish_result: true` that lets users send the results to our backend servers. We...