Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

create codeql-analysis pipeline for python #281

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

create codeql-analysis pipeline for python #281

wants to merge 2 commits into from

Conversation

binguliki
Copy link
Contributor

πŸ› οΈ Related Issue

πŸ“ Description

Implemented Codeql Ci-Cd pipeline for python

πŸ” Type of PR

  • ✨ Feature enhancement

πŸ“Έ Screenshots / πŸŽ₯ Videos (if applicable)

βœ… Checklist

  • I have performed a self-review of my code.
  • I have read and followed the Contribution Guidelines.
  • I have tested the changes thoroughly before submitting this pull request.
  • I have provided relevant issue numbers, screenshots, and videos after making the changes.
  • I have commented my code, particularly in hard-to-understand areas.

ℹ️ Additional Context

Steps to Verify the Workflow:

  1. Navigate to the Actions Tab:

    • Go to your GitHub repository.
    • Click on the "Actions" tab located near the top of the repository page.

  2. Check for Recent Workflow Runs:

    • Look for the "CodeQL" workflow in the list of workflows on the left-hand side.
    • You should see a list of recent runs with statuses (e.g., success, failure) next to them.

  3. Review Workflow Runs:

    • Click on the latest run of the "CodeQL" workflow.
    • You will see a detailed view of the workflow run, including the status of each job and step.

  4. Check Job and Step Statuses:

    • Ensure that the "Analyze" job has run for each Python version specified in the matrix.
    • Each step within the job should have a green check mark (βœ”) indicating success. If any step fails, it will have a red cross (✘).

  5. View Logs for Detailed Information:

    • Click on any job or step to expand it and view the logs.
    • The logs provide detailed information about what was executed and can help diagnose any issues.

  6. Look for CodeQL Analysis Results:

    • The final step "Perform CodeQL Analysis" uploads the results to GitHub.
    • If the analysis found any issues, they will be reported under the "Security" tab of your repository or in the pull request checks.

Common Issues and Resolutions:

  1. Step Failure:

    • If any step fails, review the logs for that step to understand the error.
    • Common issues include dependency installation failures or build errors. Ensure your requirements.txt is correct and that all dependencies are available.

  2. CodeQL Analysis Errors:

    • If the CodeQL analysis step fails, check the logs for details. It may be due to issues in the codebase that need to be addressed.

  3. Missing Results:

    • If results are not showing up, ensure that the workflow has permission to write security events. This is set in the permissions section of the YAML file: 
      permissions:
  actions: read
  contents: read
  security-events: write

Example of Successful Run:

  • Green Check Marks: When a workflow runs successfully, each step will show a green check mark next to it. If all steps have green check marks, it means the workflow executed without errors.

Next Steps:

  1. Fix Issues: If any issues are found by the CodeQL analysis, fix them in your codebase and commit the changes. The workflow will rerun on subsequent pushes or pull requests.

  2. Regular Monitoring: Keep an eye on the "Actions" and "Security" tabs to monitor the health of your codebase and ensure no new issues are introduced.

By following these steps, you can ensure that the CodeQL workflow is set up correctly and continuously monitors your code for vulnerabilities and quality issues.

@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@binguliki
Copy link
Contributor Author

@Akshat111111 Hey bro πŸ‘‹, Can you please review the changes and give Level2 tag under GSSoC'24

Akshat111111
Akshat111111 reviewed Jun 5, 2024
View reviewed changes
Copy link
Owner

@Akshat111111 Akshat111111 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will merge this PR after the assignee's PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Akshat111111 Akshat111111 Akshat111111 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

πŸ’‘[FEATURE]: implement codeql ci/cd workflow for python
2 participants
@binguliki @Akshat111111