Skip to content

Commit

Permalink
Merge pull request #1 from aleks-ivanov/feature/add-dependabot-codeql
Browse files Browse the repository at this point in the history
Add CodeQL and Dependabot
  • Loading branch information
aleks-ivanov authored Feb 24, 2021
2 parents 2cd256f + deed7dd commit 85dda73
Show file tree
Hide file tree
Showing 11 changed files with 136 additions and 0 deletions.
15 changes: 15 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
version: 2
updates:
- package-ecosystem: "github-actions"
# default location of `.github/workflows`
directory: "/"
schedule:
interval: "weekly"

- package-ecosystem: "nuget"
# location of package manifests
directory: "/"
schedule:
interval: "daily"

# Built with ❤ by [Pipeline Foundation](https://pipeline.foundation)
54 changes: 54 additions & 0 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
name: CodeQL Analysis

on:
push:
pull_request:
workflow_dispatch:
schedule:
- cron: '0 8 * * *'

jobs:
analyze:
name: codeql-analysis
runs-on: windows-latest
steps:
- name: Setup .NET
id: setup_dotnet
uses: actions/setup-dotnet@v1
with:
dotnet-version: 5.0.x

- name: Checkout repository
id: checkout_repo
uses: actions/checkout@v2

- name: Clean .NET cache
id: clean_dotnet_cache
shell: pwsh
run: |
dotnet clean ./ModernWpf.sln --configuration Release
dotnet nuget locals all --clear
- name: Install dependencies
id: dotnet_restore
shell: pwsh
run: |
dotnet restore
- name: Initialize CodeQL
id: init_codeql
uses: github/codeql-action/init@v1
with:
queries: security-and-quality

- name: Build
id: dotnet_build
shell: pwsh
run: |
dotnet build --configuration Release --no-restore
- name: Perform CodeQL Analysis
id: analyze_codeql
uses: github/codeql-action/analyze@v1

# Built with ❤ by [Pipeline Foundation](https://pipeline.foundation)
67 changes: 67 additions & 0 deletions CI-CD_DOCUMENTATION.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
# ModernWpf CI/CD documentation

## 1. Set up Dependabot

Dependabot is a GitHub native security tool that goes through the dependencies in the project and creates alerts, and PRs with updates when a new and/or non-vulnerable version is found.

- for PRs with version updates, this pipeline comes pre-configured for all current dependency sources in the project, so at "Insights" tab -> "Dependency graph" -> "Dependabot", you should be able to see all tracked sources of dependencies, when they have been checked last and view a full log of the last check

![Dependabot_tab](/CI-CD_DOCUMENTATION/Dependabot_tab.png)

![Dependabot_log_page](/CI-CD_DOCUMENTATION/Dependabot_log_page.png)

### Set up security alerts and updates
##### - GitHub, through Dependabot, also natively offers a security check for vulnerable dependencies

1. Go to the project's GitHub repository and click on the **Settings** tab

2. Go to **Security & analysis** section

3. Click "Enable" for both "Dependabot alerts" and "Dependabot security updates"

- By enabling "Dependabot alerts", you would be notified for any vulnerable dependencies in the project. At "Security" tab -> "Dependabot alerts", you can manage all alerts. By clicking on an alert, you would be able to see a detailed explanation of the vulnerability and a viable solution.

![Dependabot_alerts_page](/CI-CD_DOCUMENTATION/Dependabot_alerts_page.png)

![Dependabot_alert_page](/CI-CD_DOCUMENTATION/Dependabot_alert_page.png)

- By enabling "Dependabot security updates", you authorize Dependabot to create PRs specifically for **security updates**

![Dependabot_PRs](/CI-CD_DOCUMENTATION/Dependabot_PRs.png)

### Set up Dependency graph
##### - The "Dependency graph" option should be enabled by default for all public repos, but in case it isn't:

1. Go to the project's GitHub repository and click on the **Settings** tab

2. Go to **Security & analysis** section

3. Click "Enable" for the "Dependency graph" option

- this option enables the "Insights" tab -> "Dependency graph" section -> "Dependencies" tab, in which all the dependencies for the project are listed, under the different manifests they are included in

![Dependabot_dependency_graph](/CI-CD_DOCUMENTATION/Dependabot_dependency_graph.png)

NOTE: **screenshots are only exemplary**

<br>

## 2. CodeQL

CodeQL is GitHub's own industry-leading semantic code analysis engine. CodeQL requires no setup, because it comes fully pre-configured by us.

To activate it and see its results, only a push commit or a merge of a PR to the default branch of your repository, is required.

We've also configured CodeQL to run on schedule, so every day at 8:00AM UTC, it automatically tests the code.

- you can see the results here at **Security** tab -> **Code scanning alerts** -> **CodeQL**:

![CodeQL_results](/CI-CD_DOCUMENTATION/CodeQL_results.png)

- on the page of each result, you can see an explanation of what the problem is and also one or more solutions:

![CodeQL_alert_page](/CI-CD_DOCUMENTATION/CodeQL_alert_page.png)

#

Built with ❤ by [Pipeline Foundation](https://pipeline.foundation)
Binary file added CI-CD_DOCUMENTATION/CodeQL_alert_page.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added CI-CD_DOCUMENTATION/CodeQL_results.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added CI-CD_DOCUMENTATION/Dependabot_PRs.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added CI-CD_DOCUMENTATION/Dependabot_alert_page.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added CI-CD_DOCUMENTATION/Dependabot_alerts_page.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added CI-CD_DOCUMENTATION/Dependabot_log_page.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added CI-CD_DOCUMENTATION/Dependabot_tab.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit 85dda73

Please sign in to comment.