ER: GHA to create issues to manage CodeQL alerts #5007
Description
Emergent Requirement - Problem
We require issues to track each CodeQL alert. The issue that tracks a CodeQL alert will require the analysis of the alert and either a code change to "fix" the alert or a recommendation to "dismiss" the alert (for example, as a false positive). Currently, the tracking issues have been created manually, but it would be desirable to generate the issues automatically.
Details
- If any GitHub issue contains a CodeQL alert URL in a task item, the issue will become a tracking issue to the alert.
- In this ER we are only concerned with alerts raised on production code, not on alerts within pull requests.
- Since GitHub will block merging of any PR with a high or critical severity, the only new alerts will result from medium or lower severity alerts, or from changes in queries.
Issue you discovered this emergent requirement in
Date discovered
6/23/2023
Did you have to do something temporarily
- YES
- NO
Who was involved
@SAUMILDHANKAR @t-will-gillis @roslynwythe
What happens if this is not addressed
Tracking issues will have to be created manually for each CodeQL alerts, and new alerts may go unnoticed.
Resources
Recommended Action Items
- Make a new issue
- Discuss with team
- Let a Team Lead know
Potential solutions [draft]
Develop a GHA that examines every open CodeQL alert for each one, check for a tracking issue and for the source. If a CodeQL alert from gh-pages does not have a tracking issue, create a new issue based on the template below, move the issue to "New Issue Approval" column with "ready for dev lead" label.