Update CodeQL analysis workflow
b4yuan opened this issue · comments
Hello,
I am with a group of researchers looking to improve security in open-source embedded software by using static analysis tools like CodeQL. We wrote up a report of our findings so far. The TL;DR is “CodeQL outperforms the other freely-available static analysis tools, with fairly low false positive rates and lots of real defects”. You can read about the report here: https://arxiv.org/abs/2310.00205
Currently, the CodeQL workflow in this repository performs an analysis, but I suggest making the following changes to the workflow:
- Upload CodeQL results to the Code Scanning under the Security tab for ease of use
- Upload CodeQL results as an artifact under the workflow
- Allow for rule filtering which may remove rules that result in too many false positives
I can open a PR with these changes if you would like. Please let me know!
Yes, please.