Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Apache>
  3. Dev
Security features of Github
rpluem at apache
Jun 25, 2021, 12:23 AM
Post #1 of 3 (191 views)
Permalink
I would like to leverage the "security features" of GitHub like Dependabot alerts and Code scanning alerts.

First question: Do we want this? Does anyone object?

Second question: Is this possible with our GitHub setup? I known that this question might be better suited for the infra list, but
OTOH I know that some infra guys are here as well.
While Dependabot seems to be only a matter of activating which might be easy I understand that The Code scanning alerts run as
GitHub actions and I am not sure if we can use GitHub actions or what the limits are as for the CI stuff we use Travis.

Regards

Rüdiger
Re: Security features of Github [ In reply to ]
humbedooh at apache
Jun 25, 2021, 1:04 AM
Post #2 of 3 (191 views)
Permalink
On 25/06/2021 09.23, Ruediger Pluem wrote:
> I would like to leverage the "security features" of GitHub like Dependabot alerts and Code scanning alerts.
>
> First question: Do we want this? Does anyone object?
>
> Second question: Is this possible with our GitHub setup? I known that this question might be better suited for the infra list, but
> OTOH I know that some infra guys are here as well.
> While Dependabot seems to be only a matter of activating which might be easy I understand that The Code scanning alerts run as
> GitHub actions and I am not sure if we can use GitHub actions or what the limits are as for the CI stuff we use Travis.
>
> Regards
>
> Rüdiger
>

Dependabot unfortunately is not a viable option, as that would start
leaking potential issues into public space due to how our and their
infra works.
Re: Security features of Github [ In reply to ]
rpluem at apache
Jun 25, 2021, 4:15 AM
Post #3 of 3 (190 views)
Permalink
On 6/25/21 10:04 AM, Daniel Gruno wrote:
> On 25/06/2021 09.23, Ruediger Pluem wrote:
>> I would like to leverage the "security features" of GitHub like Dependabot alerts and Code scanning alerts.
>>
>> First question: Do we want this? Does anyone object?
>>
>> Second question: Is this possible with our GitHub setup? I known that this question might be better suited for the infra list, but
>> OTOH I know that some infra guys are here as well.
>> While Dependabot seems to be only a matter of activating which might be easy I understand that The Code scanning alerts run as
>> GitHub actions and I am not sure if we can use GitHub actions or what the limits are as for the CI stuff we use Travis.
>>
>> Regards
>>
>> Rüdiger
>>
>
> Dependabot unfortunately is not a viable option, as that would start leaking potential issues into public space due to how our and
> their infra works.
>

This is a pity. What about the Code scanning alerts that require Github actions?

Regards

Rüdiger

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal