Shut down of LGTM.com

Here's the place for discussion related to coding in FreeCAD, C++ or Python. Design, interfaces and structures.
Forum rules
Be nice to others! Respect the FreeCAD code of conduct!
Post Reply
User avatar
saso
Veteran
Posts: 1924
Joined: Fri May 16, 2014 1:14 pm
Contact:
Contact saso

Shut down of LGTM.com

Post by saso »

As it was announced in August, LGTM.com was shut down and as per the recommendation in the announcement we could try to set it up again with GitHub Actions... https://github.blog/2022-08-15-the-next ... -scanning/

Actions for running CodeQL analysis
https://github.com/github/codeql-action
https://github.blog/2023-01-09-default- ... -scanning/
https://github.blog/2023-04-17-multi-re ... ositories/

PS: I have noticed j8sr0230 is using it for his Nodes WB https://github.com/j8sr0230/Nodes/actio ... codeql.yml

:?:
Last edited by saso on Thu Apr 27, 2023 9:49 am, edited 4 times in total.
Top
User avatar
saso
Veteran
Posts: 1924
Joined: Fri May 16, 2014 1:14 pm
Contact:
Contact saso

Re: Shut down of LGTM.com

Post by saso »

Few other security related GitHub Actions that could possibly be interesting to check and maybe added to FC GitHub Actions...

OpenSSF Scorecard - Security health metrics for Open Source
https://securityscorecards.dev/
https://github.com/ossf/scorecard
https://opensource.googleblog.com/2023/ ... later.html
OpenSSF Scorecard should be possible to add quite easy and fast since it only makes some general checks on how the repository is setup, all the other tools listed here are actually things that are checked and recommended by OpenSSF Scorecard...

OSV-Scanner (Already integrated in OpenSSF Scorecard)
https://github.com/google/osv-scanner
https://google.github.io/osv-scanner/
https://security.googleblog.com/2022/12 ... ility.html
https://security.googleblog.com/2023/03 ... cycle.html
https://opensource.googleblog.com/2024/ ... ities.html
https://osv.dev/
https://github.com/google/osv.dev
https://github.com/ossf/osv-schema

Supply-chain Levels for Software Artifacts, or SLSA ("salsa")
https://slsa.dev/
https://slsa.dev/blog/2022/08/slsa-gith ... generic-ga
https://openssf.org/press-release/2023/ ... 0-release/
https://security.googleblog.com/2023/04 ... tware.html
https://github.com/slsa-framework/slsa
https://github.com/slsa-framework/slsa-verifier
https://github.com/slsa-framework/slsa-github-generator

Socket proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection
https://socket.dev/

ClusterFuzzLite
https://google.github.io/clusterfuzzlite/
https://google.github.io/clusterfuzzlit ... b-actions/
https://github.com/google/clusterfuzzlite

Also the use of https://app.stepsecurity.io as often recommended by the above OpenSSF Scorecard for the different "Token-Permissions" and "Pinned-Dependencies" issues...

And the Google Engineering Practices Documentation https://google.github.io/eng-practices/
Top
Post Reply

Return to “Developers corner”