Update MetaMask/action-security-code-scanner and run as part of main workflow
#263
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
| analyse-code: | ||
| name: Code scanner | ||
| needs: check-workflows | ||
| uses: ./.github/workflows/security-code-scanner.yml | ||
| permissions: | ||
| actions: read | ||
| contents: read | ||
| security-events: write | ||
| secrets: | ||
| SECURITY_SCAN_METRICS_TOKEN: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }} | ||
| APPSEC_BOT_SLACK_WEBHOOK: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }} | ||
|
|
There was a problem hiding this comment.
Does this run in parallel to the other steps? One of the reasons we had originally opted for it to be separate is so that it would execute in parallel to not slow down CI times. Especially the CodeQL step can take a minute or two to build its database depending on the size of the repo
There was a problem hiding this comment.
It does! It only depends on check-workflows, but after that, both the security code scanner and build, lint, test steps will run in parallel.
MetaMask/Security-Code-Scannerwas renamed toMetaMask/action-security-code-scanner, and is now properly versioned as well. I've updated the workflow to useMetaMask/action-security-code-scanner@v1, and also changed it to run as part of the main workflow.Examples
We use this in the Snaps repo: https://github.com/MetaMask/snaps/blob/0d9472d5f4110fdd9b657220a51c53cbac6a2675/.github/workflows/main.yml#L24-L34