-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integration Psalm Security Scan Actions in a Security Starter Workflow #6
Comments
I suppose we need to fix the build first. |
Hey @weirdan ! 👋 The build is back in shape and we start getting positive feedback about it ✨ I would like to finalise the work initiated on the starter-workflow repo to make it a breeze to integrate Psalm Security Scan workflow in a repo. For that, the |
That form doesn't make much sense to me. We're not a business (none of the active maintainers, for sure). Vimeo likely holds the copyright (@muglug can you clarify?) but is not actively involved in Psalm anymore, as far as I can tell. |
Hey @weirdan ! 👋 The technical partner program is mainly for third components which are integrated in GitHub itself or in its Marketplace.. Its related terms and conditions can be found here and they would need to be agreed by the current maintainers. |
Hey! The main worry I have here is the increased burden on Psalm’s volunteer maintainers when someone starts using security analysis via this workflow, having not used Psalm before. Psalm’s security analysis works best in the hands of a security researcher who understands the capabilities of it and similar tools. I’m concerned that push-button workflows that lack a contractual commitment might create an onerous amount of work. |
First and foremost, I would like to thanks you for maintain Psalm and all related actions. ❤️ It is already helping greatly all PHP-based open source software developers and security researchers to find defects on already existing codebase but also on newly developed code. User’s feedback about alerts raised by Psalm has been very positive overall. Many open-source projects backed either by companies or volunteers have chosen to have dedicated starter workflows to give users an easy and correct way to setup the first version of their static analysis workflows such as:
So far, the synergies between the security researchers building these tools and the developers have been a boon for software security allowing them to ship safer and better code overall. |
Hi @muglug, I work on our security ecosystem team here at GitHub. Would you be open to talking through this some time soon? |
Hey @griffinashe! Matt no longer works on Psalm. I could try to answer your questions though I'm not exactly sure to understand all the ins and out of what is suggested in this thread |
@orklah - Sorry for the delayed response. If you email me @[email protected] with some times that work for you the week of July 10th or July 17th I can send an invite out to discuss. |
I'm not very used to have oral discussion in English. Could that be an email or a chat? |
@orklah Of course. Please send me an email at the address in my previous message and we can discuss there. |
Hi Psalm Team ! 👋
GitHub offers a wide variety of starter workflows to help the community integrate new CI pipelines quickly and efficiently.
I have prepared a pull request aiming to integrate Psalm Security Scan workflow within it.
To finalise it, your action would need to be registered in GitHub technology partner program
If you are interested, could you fill out this form ?
In any case, feel free to contact me.
The text was updated successfully, but these errors were encountered: