Description:
From the OpenSSF Audit:
The project must use Static Application Security Testing (SAST) to automatically analyze the source code for common security vulnerabilities and errors. GitHub's CodeQL is the recommended tool for initial implementation.
Tasks:
Create a workflow file named .github/workflows/codeql-analysis.yml.
Configure the workflow to run CodeQL on all push and pull_request events targeting the main branch.
Ensure the workflow is set up for the Java language to perform accurate security analysis.
Current Status:
OpenSSF Scorecard reports:
0 / 10 | SAST | No static analysis tool detected.
The absence of SAST tooling allows security vulnerabilities to be introduced into the codebase without immediate detection.
Acceptance Criteria (DoD+):
Running the OpenSSF Scorecard scan returns a 10 / 10 for the SAST check.
The repository contains a functional .github/workflows/codeql-analysis.yml file.
Every new Pull Request successfully triggers the CodeQL workflow, and security alerts are visible in the "Security" tab.
Description:
From the OpenSSF Audit:
The project must use Static Application Security Testing (SAST) to automatically analyze the source code for common security vulnerabilities and errors. GitHub's CodeQL is the recommended tool for initial implementation.
Tasks:
Create a workflow file named .github/workflows/codeql-analysis.yml.
Configure the workflow to run CodeQL on all push and pull_request events targeting the main branch.
Ensure the workflow is set up for the Java language to perform accurate security analysis.
Current Status:
OpenSSF Scorecard reports:
0 / 10 | SAST | No static analysis tool detected.
The absence of SAST tooling allows security vulnerabilities to be introduced into the codebase without immediate detection.
Acceptance Criteria (DoD+):
Running the OpenSSF Scorecard scan returns a 10 / 10 for the SAST check.
The repository contains a functional .github/workflows/codeql-analysis.yml file.
Every new Pull Request successfully triggers the CodeQL workflow, and security alerts are visible in the "Security" tab.