Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-2774

Code scanning for Pipeline plugins

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      I'd like to try turning on code scanning for the following plugins:

      jenkinsci/script-security-plugin
      jenkinsci/workflow-cps-plugin
      jenkinsci/workflow-job-plugin
      

      Eventually, I'd like to turn on code scanning for a lot more plugins, but let's start with these for now.

        Attachments

          Activity

          Hide
          danielbeck Daniel Beck added a comment -

          Thanks for signing up!

          An initial scan is finished, and I added the repo(s) to the list for future re-scans.

          Unresolved findings are shown with an "unread indicator" on the "Security" tab on each repo.

          If you think a finding is a true positive security issue, please file those in the SECURITY tracker so we can review the fix and coordinate a release.

          We're using GitHub's CodeQL as the tool for this, but only execute our own, Jenkins-specific queries. For general purpose queries, you can check out the plugin repos on lgtm.com, or add regular CodeQL code scanning to your plugins.

          If you have questions or feedback, as a security team member, please file issues in jenkinsci-cert/codeql.

          Show
          danielbeck Daniel Beck added a comment - Thanks for signing up! An initial scan is finished, and I added the repo(s) to the list for future re-scans. Unresolved findings are shown with an "unread indicator" on the "Security" tab on each repo. If you think a finding is a true positive security issue, please file those in the SECURITY tracker so we can review the fix and coordinate a release. We're using GitHub's CodeQL as the tool for this, but only execute our own, Jenkins-specific queries. For general purpose queries, you can check out the plugin repos on lgtm.com, or add regular CodeQL code scanning to your plugins. If you have questions or feedback, as a security team member, please file issues in jenkinsci-cert/codeql .

            People

            Assignee:
            danielbeck Daniel Beck
            Reporter:
            dnusbaum Devin Nusbaum
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: