ER: Review protection rules for CodeQL PR check failure #5033
Description
Emergent Requirement - Problem
Currently, the protection rules for CodeQL PR check failure are set to default levels. So, the PR check fails if there is a security alert of level high or critical or if there is an error. We would like to review these and decide if the protection rules should be made stricter, more relaxed or fine as it is.
Issue you discovered this emergent requirement in
Date discovered
6/26/2023
Did you have to do something temporarily
- YES
- NO
Who was involved
@roslynwythe @t-will-gillis @SAUMILDHANKAR
What happens if this is not addressed
CodeQL PR checks would continue running at default levels. PR checks won't pass if alert belongs to high/critical/error.
Resources
For more information about GitHub code scanning, check out the documentation.
Code Scan Results
List of all CodeQL JS queries
Recommended Action Items
- Make a new issue
- Discuss with team
- Let a Team Lead know
Potential solutions [draft]
First approach could be to go through the alert levels displayed currently for the website repo and based on that decide if PR check should fail for any similar alert level and update the rules accordingly.
More detailed analysis might involve going through the alert levels of all the JS queries in the following folder: https://github.com/github/codeql/tree/main/javascript/ql/src and then based on HfLA website repo's codebase decide the level of protection rules that would align with the team preference.