[QGIS-Developer] [security] Activate CodeQL Scanning in Github
Régis Haubourg
regis.haubourg at gmail.com
Wed Nov 13 00:58:17 PST 2024
Hi all,
the security requirements of IT departments keeps on growing and we
receive more and more requests on the security mail.
The topic is broad, from filling in custom forms based on various
national or company-specific policies, to very precise vulnerability
scanning, or even ask us what we do to prevent XZ-like social
engineering attacks.
To get a better score on good practices [0], a simple first step would
be to activate code scanning. Github provides CodeQL [1] for free. I
would like to activate it and see how it goes.
Would you be OK with activating this and see how it goes (too much
spamming, limitations on our codebase, more advanced configuration
required etc... ) ?
In case of no reaction, I'll push the button on friday and see what
happens :)
@lova @Tim, we probably should do similar things for our websites, we
have some bounty seekers raising disclosures on our websites. I'd prefer
that we catch those CVE earlier than have to deal with some of those
anonymous persons.
Thanks a lot !
Régis
[0] https://securityscorecards.dev/viewer/?uri=github.com/qgis/QGIS
[1] https://codeql.github.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20241113/c1b98128/attachment.htm>
More information about the QGIS-Developer
mailing list