Skip to content

Add codeql code security and quality scan #5579

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lukasmasuch merged 48 commits into from
Oct 24, 2022
Merged

Add codeql code security and quality scan #5579

lukasmasuch merged 48 commits into from
Oct 24, 2022

Conversation

@lukasmasuch
Copy link
Collaborator

@lukasmasuch lukasmasuch commented Oct 21, 2022
edited
Loading

📚 Context

This PR adds Github CodeQL which adds static code security and quality scans. This will run automatically on all of our PRs.

See the scan results here: https://github.com/streamlit/streamlit/security/code-scanning?query=pr%3A5579+is%3Aopen+

  • What kind of change does this PR introduce?

    • Bugfix
    • Feature
    • Refactoring
    • Other, please describe:

Closes #3217

Contribution License Agreement

By submitting this pull request you agree that all contributions to this project are made under the Apache 2.0 license.

@lukasmasuch
Remove outdated and skipped test
485a9a3
@lukasmasuch
Fix wrong usage of super
8103c16
@lukasmasuch
Use python 3 super
b0ba9b2
@lukasmasuch
Change back
e2a3b99
@lukasmasuch
Fix codeql issue
e1be663
@lukasmasuch
Cleaned up _get_error_message_args
46872ab
@lukasmasuch
Escape dot in regex
7ba45c3
@lukasmasuch
Add code-ql workflow
ed55cf3
@lukasmasuch
Add codeql recommendation
3ae2dab
@lukasmasuch
Fix log injection
f7cbcd3
@lukasmasuch
Fix log injections
e60c895
@lukasmasuch
Remove unused logger
3f9c3f1
@lukasmasuch
Remove logging statements
3242eab
@lukasmasuch
Fix codeql issues
395b5a6
@lukasmasuch
Remove logger mocks
3b97c94
@lukasmasuch
Make logger internal
ee32c3f
@lukasmasuch
Remove unused import
7a9044a
@lukasmasuch
Add codeql recommendation
81feb00
@lukasmasuch
Only run in specific paths
e217816
@lukasmasuch
Add codeql config file
5bd9906
@lukasmasuch
Use our python installation
6b0442e
@lukasmasuch
Remove uncessary pass statement
7d18beb
@lukasmasuch
Deactivate auto-install of python deps
4972182
@lukasmasuch
Print out codeql python
2e0d110
@lukasmasuch
Add print out python
ab16ad5
@lukasmasuch
Fix print out
81844da
@lukasmasuch
Activate pipenv
81f59a4
@lukasmasuch
Activate virtual env
b1098dd
@lukasmasuch
Fix python setup
1beea80
@lukasmasuch
Activate pipenv shell
fe790be
@lukasmasuch lukasmasuch marked this pull request as ready for review October 21, 2022 01:11
@lukasmasuch lukasmasuch mentioned this pull request Oct 21, 2022
Closed
kmcgrady
kmcgrady approved these changes Oct 21, 2022
View reviewed changes
Copy link
Collaborator

@kmcgrady kmcgrady left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a comment question.

When should we dismiss or address the warnings?

.github/workflows/codeql-analysis.yml
pull_request:
# The branches below must be a subset of the branches above
branches: ["develop"]
schedule:
Copy link
Collaborator

@kmcgrady kmcgrady Oct 21, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can run on any fork, right?

Copy link
Collaborator Author

@lukasmasuch lukasmasuch Oct 21, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, i think so. Every PR going into develop

Copy link
Collaborator Author

@lukasmasuch lukasmasuch Oct 21, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it also doesn't require any secrets or other things, so I don't expect any issues

@lukasmasuch
Copy link
Collaborator Author

lukasmasuch commented Oct 22, 2022
edited
Loading

Regarding warnings: I just closed a few more warnings. If we figure out if we need to do something about the Potentially inconsistent state update, we are mostly done:

https://github.com/streamlit/streamlit/security/code-scanning?query=pr%3A5579+is%3Aopen+severity%3Acritical%2Chigh%2Cmedium%2Cerror%2Cwarning

I think we can easily get the remaining warnings closed next week.

@lukasmasuch lukasmasuch mentioned this pull request Oct 24, 2022
Closed
9 tasks
@lukasmasuch lukasmasuch merged commit 9d44722 into develop Oct 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kmcgrady kmcgrady kmcgrady approved these changes

@vdonato vdonato Awaiting requested review from vdonato

@mayagbarnes mayagbarnes Awaiting requested review from mayagbarnes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 LGTM error reports on 2021-05-05

4 participants

@lukasmasuch @kmcgrady @kajarenc