-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update to add devskim #83
Closed
Closed
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
8cc0781
Update main.yml to add devskim
rjmurillo 03ace62
Update DevSkim to only run on Linux
rjmurillo d04bf52
Update Packages.props to add DevSkim analyzers
rjmurillo 4c4e267
Update CodeAnalysis.props to add DevSkim
rjmurillo 36f9d49
Remove DevSkim package
rjmurillo 72015a5
Add DevSkim as a CLI tool
rjmurillo File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't like that there isn't a simple way to repro issues locally. Can we integrate it in some way to make local dev work as well?
Good
dotnet tool restoreto YAML (sorry, I thought I added it already)Better
Execor similarThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would also avoid the linux-only issue the GitHub Action has
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's a package we can integrate https://www.nuget.org/packages/Microsoft.CST.DevSkim/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm already over the Windows builder. It's. So. Slow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@MattKotsenas Updated to also include the CA rules, so it's a "yes, and"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that package is just a lib though: https://nuget.info/packages/Microsoft.CST.DevSkim/1.0.33 so I'm not sure how to drive it from that package. Haven't looked much though so go for it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can't use it anyway, doesn't support netstandard 2.0 (only 2.1). I'll go the global tool route so we have something. There's also a VSIX and VSCode extension, but I don't like that for various reasons.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@MattKotsenas we're going hold off on this. I've raised two issues with DevSkim, microsoft/DevSkim#619 and microsoft/DevSkim#618 to address the issues. 619 is the one I want, so it's super consistent with everything else and "just works"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update: The "Good" or "Better" options above are the resolution to microsoft/DevSkim#618
Link: microsoft/DevSkim#618 (comment)
I think I'm going to abandon this until microsoft/DevSkim#619 is implemented. Right now all the rules are RegEx so the perf is 1) not good, and 2) not always attached to a symbol. There will need to be some reworking on their end to get this to work as a proper analyzer.
What we're missing out on doesn't seem too critical for this project. Lots of making sure you're not doing silly things like disabling HTTPS checks, making sure you use secure URIs, not using weak crypto algos, vulnerable NuGet packages, and so on. Some of those are covered already by other analyzers (built in or otherwise).