-
Notifications
You must be signed in to change notification settings - Fork 339
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: use CodeQL instead of LGTM #1186
Conversation
Also a note: the current CodeQL fail is expected, since it's a first scan that found all the possible issues in the code base, which are already reported by LGTM. Also, it's missing the base branch results, which will get resolved once this is merged. |
As LGTM is going to be shut down by EOY[0], let's move the code scanning to CodeQL as recommended. Thanks to GH integration the results from such scans will be shown both in the respective PR and in the Security -> Code Scanning tab[1]. [0] https://github.blog/2022-08-15-the-next-step-for-lgtm-com-github-code-scanning/ [1] https://github.com/systemd/mkosi/security/code-scanning
I enabled the extend query suites, so now it reports quite a number of potential issues, see https://github.com/systemd/mkosi/security/code-scanning?query=pr%3A1186+tool%3ACodeQL+is%3Aopen If you don't find the extended checks useful, please let me know and I'll disable them again. |
So on the next PR the test will succeed if no new problems are added? Is there a way to see the baseline results afterwards? |
Exactly.
They'll appear in the Security tab under Code Scanning - https://github.com/systemd/mkosi/security/code-scanning |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. I've scrolled through the warnings and some things are noise, but some do warrant looking into. Since this will stay available I see no reason to not merge this, since it's definitely a leg up from lgtm.com.
One last question though: Does this have a know for which Python version to target or can it read that from e.g. pyproject.toml
?
It tries to sort of autodetect stuff from the files lying around:
but currently it falls back to the installed python 3.10. However, if the need arises, you can configure the environment as needed before calling the CodeQL analysis. |
Also, to add to this, CodeQL does |
I guess we'll need to go over and try to fix the reported warnings before merging this |
Well, the warnings won't get reported again (i.e. no noise in other PRs), but stay visible in the Security tab, so they can be fixed later without the need of blocking this (so CodeQL could possibly analyze other PRs). |
So I guess #1120 can be closed now? |
As LGTM is going to be shut down by EOY[0], let's move the code scanning to CodeQL as recommended. Thanks to GH integration the results from such scans will be shown both in the respective PR and in the Security -> Code Scanning tab[1].
[0] https://github.blog/2022-08-15-the-next-step-for-lgtm-com-github-code-scanning/
[1] https://github.com/systemd/mkosi/security/code-scanning
Once this is merged I'll go ahead and disable the LGTM integration completely.
Note: I had to create this branch directly in the upstream repo, otherwise GH wouldn't pick up the new action until it's merged.