Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG SAST tool check runs on doc-only commits. #2487

Open
ianlewis opened this issue Nov 24, 2022 · 4 comments
Open

BUG SAST tool check runs on doc-only commits. #2487

ianlewis opened this issue Nov 24, 2022 · 4 comments
Labels
kind/bug Something isn't working

Comments

@ianlewis
Copy link

The slsa-github-generator repo currently omits running the CodeQL action on commits that are documentation or yaml only as the CodeQL action is slow doesn't support markdown or yaml anyway.

However, scorecard dings us for not running CodeQL on all of our commits. It would be nice if the scorecard could detect if the commits were documentation-only changes or not.
@ianlewis ianlewis added the kind/bug Something isn't working label Nov 24, 2022
@ianlewis ianlewis changed the title BUG SAST tool check runs on doc only commits. BUG SAST tool check runs on doc-only commits. Nov 24, 2022
@ianlewis ianlewis mentioned this issue Nov 24, 2022
Closed
@azeemshaikh38
Copy link
Contributor

Thanks @ianlewis. IIUC, there are static analysis tools for config/workflow files. So checking for SAST tools on commits which only change YAML would be a valid usecase?

If we were to limit ourselves to doc files (like .md) only, my concern is:

  • retrieving the changed files through GitHub API might significantly increase API token usage
  • would not work for projects which use Gerrit or other such code review tools
  • and is checking for commits which only modify .md file a strong enough usecase to merit investing into?

@ianlewis
Copy link
Author

ianlewis commented Dec 1, 2022

Thanks @ianlewis. IIUC, there are static analysis tools for config/workflow files. So checking for SAST tools on commits which only change YAML would be a valid usecase?

I think that's a fair point. It would be nice if scorecard had support for them.

If we were to limit ourselves to doc files (like .md) only, my concern is:

  • retrieving the changed files through GitHub API might significantly increase API token usage
  • would not work for projects which use Gerrit or other such code review tools
  • and is checking for commits which only modify .md file a strong enough usecase to merit investing into?

Maybe the solution is expanding the number of SAST tools that scoreccard checks for?

Scorecard itself has SAST like behavior for its permissions checks on GitHub workflows. I know several projects that have found those valuable.

@azeemshaikh38
Copy link
Contributor

@laurentsimon do you know if we consider scorecard-action itself as a SAST tool?

@laurentsimon
Copy link
Contributor

laurentsimon commented Dec 2, 2022
edited
Loading

We currently do not, but we should revive #1487 and improve the SAST check to include it. The PR is too API intensive, and we need to solve this problem before merging it.

@afmarcum afmarcum moved this to Backlog - Bugs in Scorecard - NEW Mar 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
Scorecard - NEW
Status: Backlog - Bugs
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ianlewis @azeemshaikh38 @laurentsimon