Update to add devskim #83
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
DevSkim is only supported on Linux OS
| @@ -104,3 +104,13 @@ jobs: | |||
| uses: github/codeql-action/analyze@v3 | |||
| with: | |||
| category: "/language:csharp" | |||
|
|
|||
| - name: Run DevSkim scanner | |||
There was a problem hiding this comment.
I don't like that there isn't a simple way to repro issues locally. Can we integrate it in some way to make local dev work as well?
Good
- Add to dotnet tools
- Add
dotnet tool restoreto YAML (sorry, I thought I added it already) - Add basic pwsh script to run devskim
Better
- Same as above, but integrate into MSBuild via
Execor similar
There was a problem hiding this comment.
That would also avoid the linux-only issue the GitHub Action has
There was a problem hiding this comment.
There's a package we can integrate https://www.nuget.org/packages/Microsoft.CST.DevSkim/
There was a problem hiding this comment.
That would also avoid the linux-only issue the GitHub Action has
I'm already over the Windows builder. It's. So. Slow.
There was a problem hiding this comment.
@MattKotsenas Updated to also include the CA rules, so it's a "yes, and"
There was a problem hiding this comment.
I think that package is just a lib though: https://nuget.info/packages/Microsoft.CST.DevSkim/1.0.33 so I'm not sure how to drive it from that package. Haven't looked much though so go for it.
There was a problem hiding this comment.
Can't use it anyway, doesn't support netstandard 2.0 (only 2.1). I'll go the global tool route so we have something. There's also a VSIX and VSCode extension, but I don't like that for various reasons.
There was a problem hiding this comment.
@MattKotsenas we're going hold off on this. I've raised two issues with DevSkim, microsoft/DevSkim#619 and microsoft/DevSkim#618 to address the issues. 619 is the one I want, so it's super consistent with everything else and "just works"
There was a problem hiding this comment.
Update: The "Good" or "Better" options above are the resolution to microsoft/DevSkim#618
It seems that a Dockerfile defined action (as DevSkim-Action is) is restricted to Linux pipelines only - the workaround seems to be to migrate to a Typescript action. I found a similar issue reported in another repo on GitHub with the same conclusion - peter-evans/create-pull-request#40. For us, the workaround is a little undesirable here - the docker method allows us to ensure that the .NET SDK is available and pull the latest version of the DevSkim tool, without interfering with the users environment, and ultimately the equivalent behavior of the action is only a couple lines of YML.
Link: microsoft/DevSkim#618 (comment)
I think I'm going to abandon this until microsoft/DevSkim#619 is implemented. Right now all the rules are RegEx so the perf is 1) not good, and 2) not always attached to a symbol. There will need to be some reworking on their end to get this to work as a proper analyzer.
What we're missing out on doesn't seem too critical for this project. Lots of making sure you're not doing silly things like disabling HTTPS checks, making sure you use secure URIs, not using weak crypto algos, vulnerable NuGet packages, and so on. Some of those are covered already by other analyzers (built in or otherwise).
Pull request was converted to draft
github-actions
bot
added
the
github_actions
Adds DevSkim rules to check for correctness and security