Add CodeQL Security Scan GitHub Action #1622
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
coliff
changed the title
|
I'll merge, but adding a note for future reference: This is a module that runs perhaps once, when you generate docs. You install it on your computer, you generate the docs. Security scanners will raise all hell about things like XSS attacks and Regex infinite backtracking DDoS attacks that are (a) not exploitable and (b) irrelevant to something that isn't running in a server process. A lot of the big-warning security issues you see just simply don't matter, 100% - if the hex string color parser in a subdependency can cause a DDoS with arbitrary color strings, it doesn't really mean anything for most people. So, for future reference, if someone points to the big alarm bell saying that "documentation.js is a security hazard", please, don't take the bell that seriously. Focus on exploitable real security hazards, not the automated context-free warnings that automated scanners produce. They're very often wrong, and they create busywork for open source maintainers. |
Sure thing - understood. Let's merge and if it causes issues we can consider deleting/disabling it. |
No description provided.