ci: add static analysis#168
Conversation
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
|
To be moved out of draft after #169 is addressed, so that the checks can pass. |
benhoyt
left a comment
benhoyt
left a comment
There was a problem hiding this comment.
Do you know what kinds of things CodeQL catches that staticcheck or golangci-lint doesn't? I'm not familiar with CodeQL.
There's a list in the docs. A lot are very web-y, so not really relevant to Conceirge. This doc is a good intro. I think major selling points are (a) from someone well known (GitHub/Microsoft) that hopefully can be more trusted than (for example) Trivy (although who really knows...), (b) free, (c) you can also write your own rules, (d) integration with GitHub (although other tools can do that, like Zizmor does). I think CodeQL is more focused on taint tracking than staticcheck, but I', not 100% sure on that. |
|
I think this is broken because of canonical/spread#281 -- will need to dig into that more to understand the right fix. |
…for what we need, so use the best possible).
benhoyt
left a comment
benhoyt
left a comment
There was a problem hiding this comment.
Looks good to me, thanks.
2 participants
This PR adds more static analysis to the CI workflows.
Drive-by bump of Go version, and spread sourced from canonical, which seems to be what we are meant to do now if I understand the issue correctly.
Does not add trivy, based on all the recent issues there.