Skip to content

Comments

FEAT [DTECSCSAO-4805] GHAS integration: Code scanning & Dependency review #21

Merged
pdulimitta merged 14 commits intomainfrom
feature/ghas_integration
Jul 1, 2025
Merged

FEAT [DTECSCSAO-4805] GHAS integration: Code scanning & Dependency review #21
pdulimitta merged 14 commits intomainfrom
feature/ghas_integration

Conversation

@sekhara-madduru
Copy link
Collaborator

@sekhara-madduru sekhara-madduru commented Feb 19, 2025

JIRA ID | Git Issue

https://paypal.atlassian.net/browse/DTECSCSAO-4805

Change Type

  • Bug fix (is this a backward compatible change?)
  • New feature (is this a backward compatible change?)
  • Breaking change (is this a non-backward compatible change?)
  • DB changes (add scripts in the sql/migrations/{date} folder)

Change Impact

Summary

  • GHAS integration: Adding a workflow action files for Code scanning & Dependency review.

Demo

Notes

The PayPal Product Security Team is replacing Coverity, Black Duck, and Cycode with GitHub Advanced Security (GHAS). This change will affect all PayPal and business unit production repositories on GitHub. GitHub Advanced Security provides three important security scanning capabilities including plaintext secrets detection, software composition analysis (SCA) for open source software (OSS) via Dependabot and Dependency Review, and static code analysis via CodeQL. We’re making this change because contracts for our existing software security tools are expiring and because we heard strong developer feedback in support of GHAS. You can access GHAS by clicking on the “Security” tab in your repository. Please keep an eye on this Security tab and respond to the security findings that appear here and in your Pull Requests (PRs). GHAS is essential to PayPal's Product Security program, ensuring we meet industry standards, regulatory mandates, and our commitment to customer security and trust.

Testing Instructions

  • Monitoring actions logs.
  • Make sure all scans successful and results shown.

@github-advanced-security
Copy link

github-advanced-security bot commented Feb 19, 2025

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

estrajnik
estrajnik requested changes Feb 20, 2025
View reviewed changes
estrajnik
estrajnik previously requested changes Mar 26, 2025
View reviewed changes
@lony25 lony25 requested a review from estrajnik April 14, 2025 05:45
tlobbregt
tlobbregt reviewed Apr 15, 2025
View reviewed changes
@github-actions
Copy link

github-actions bot commented Jun 11, 2025
edited
Loading

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 2 package(s) with unknown licenses.
See the Details below.

Snapshot Warnings

⚠️: The number of snapshots compared for the base SHA (3) and the head SHA (4) do not match. You may see unexpected additions in the diff.
Re-running this action after a short time may resolve the issue. See the documentation for more information and troubleshooting advice.

License Issues

.github/workflows/security.code-scanning.yml

PackageVersionLicenseIssue Type
chargehound/security-workflows-public/.github/workflows/codeql-java.ymltest-gradle-submissionNullUnknown License

.github/workflows/security.dependency-review.yml

PackageVersionLicenseIssue Type
chargehound/security-workflows-public/.github/workflows/dependency-review-gradle.ymltest-gradle-submissionNullUnknown License

Scanned Files

  • .github/workflows/security.code-scanning.yml
  • .github/workflows/security.dependency-review.yml
  • build/dependency-graph.json

@sekhara-madduru
Copy link
Collaborator Author

sekhara-madduru commented Jun 13, 2025

@dependabot recreate

@sekhara-madduru sekhara-madduru requested review from estrajnik and removed request for estrajnik June 25, 2025 10:22
sekhara-madduru
sekhara-madduru commented Jun 25, 2025
View reviewed changes
Copy link
Collaborator Author

@sekhara-madduru sekhara-madduru left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

resolved

@sekhara-madduru sekhara-madduru dismissed estrajnik’s stale review June 25, 2025 10:25

its already addressed

@sekhara-madduru sekhara-madduru removed the request for review from estrajnik June 25, 2025 10:26
pdulimitta
pdulimitta approved these changes Jul 1, 2025
View reviewed changes
Copy link

@pdulimitta pdulimitta left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm;

@pdulimitta pdulimitta merged commit 987345c into main Jul 1, 2025
64 of 91 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@estrajnik estrajnik estrajnik left review comments

+4 more reviewers

@lony25 lony25 lony25 approved these changes

@pdulimitta pdulimitta pdulimitta approved these changes

@yusharma-pp yusharma-pp yusharma-pp approved these changes

@tlobbregt tlobbregt tlobbregt approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@sekhara-madduru @lony25 @estrajnik @pdulimitta @yusharma-pp @tlobbregt