Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integration Psalm Security Scan Actions in a Security Starter Workflow #6

Open
eroullit opened this issue Feb 17, 2023 · 11 comments
Open

Comments

@eroullit
Copy link
Contributor

Hi Psalm Team ! 👋

GitHub offers a wide variety of starter workflows to help the community integrate new CI pipelines quickly and efficiently.

I have prepared a pull request aiming to integrate Psalm Security Scan workflow within it.
To finalise it, your action would need to be registered in GitHub technology partner program

If you are interested, could you fill out this form ?

In any case, feel free to contact me.

@weirdan
Copy link
Member

weirdan commented Feb 17, 2023

I suppose we need to fix the build first.

@eroullit
Copy link
Contributor Author

eroullit commented Mar 1, 2023

Hey @weirdan ! 👋

The build is back in shape and we start getting positive feedback about it ✨

I would like to finalise the work initiated on the starter-workflow repo to make it a breeze to integrate Psalm Security Scan workflow in a repo.

For that, the psalm/psalm-github-security-scan action would need to be enrolled in the GitHub technology partner program.

@weirdan
Copy link
Member

weirdan commented Mar 1, 2023

That form doesn't make much sense to me. We're not a business (none of the active maintainers, for sure). Vimeo likely holds the copyright (@muglug can you clarify?) but is not actively involved in Psalm anymore, as far as I can tell.

@eroullit
Copy link
Contributor Author

eroullit commented Mar 3, 2023

Hey @weirdan ! 👋

The technical partner program is mainly for third components which are integrated in GitHub itself or in its Marketplace..

Its related terms and conditions can be found here and they would need to be agreed by the current maintainers.

@muglug
Copy link
Member

muglug commented Mar 3, 2023

Hey! The main worry I have here is the increased burden on Psalm’s volunteer maintainers when someone starts using security analysis via this workflow, having not used Psalm before.

Psalm’s security analysis works best in the hands of a security researcher who understands the capabilities of it and similar tools. I’m concerned that push-button workflows that lack a contractual commitment might create an onerous amount of work.

@eroullit
Copy link
Contributor Author

eroullit commented Mar 7, 2023

First and foremost, I would like to thanks you for maintain Psalm and all related actions. ❤️

It is already helping greatly all PHP-based open source software developers and security researchers to find defects on already existing codebase but also on newly developed code.

User’s feedback about alerts raised by Psalm has been very positive overall.
Even more so since the Psalm security action has been updated.

Many open-source projects backed either by companies or volunteers have chosen to have dedicated starter workflows to give users an easy and correct way to setup the first version of their static analysis workflows such as:

So far, the synergies between the security researchers building these tools and the developers have been a boon for software security allowing them to ship safer and better code overall.

@griffinashe
Copy link

Hi @muglug, I work on our security ecosystem team here at GitHub. Would you be open to talking through this some time soon?

@orklah
Copy link
Contributor

orklah commented Jun 21, 2023

Hey @griffinashe! Matt no longer works on Psalm. I could try to answer your questions though I'm not exactly sure to understand all the ins and out of what is suggested in this thread

@griffinashe
Copy link

@orklah - Sorry for the delayed response. If you email me @[email protected] with some times that work for you the week of July 10th or July 17th I can send an invite out to discuss.

@orklah
Copy link
Contributor

orklah commented Jul 6, 2023

I'm not very used to have oral discussion in English. Could that be an email or a chat?

@griffinashe
Copy link

@orklah Of course. Please send me an email at the address in my previous message and we can discuss there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants