Run tests on a schedule and integrate with Datadog's test optimization product #342
Conversation
![datadog-datadog-prod-us1[bot]](https://avatars.githubusercontent.com/u/365230?s=60&v=4){kind=small}
| - 8126:8126 | ||
| steps: | ||
| - name: Configure Datadog Test Optimization | ||
| uses: datadog/test-visibility-github-action@v2 |
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
michael-richey
changed the title
Datadog Summary✅ Code Quality ❌ Code Security ❌ Dependencies Next StepsFix this code security issue introduced by this PR: 🔴 High: github-actions/unpinned-actions
Fix these dependency issues introduced by this PR: 🔴 High: certifi 2022.12.7
🔴 High: setuptools 67.6.0
🟠 Medium: aiohttp 3.9.5
Was this helpful? Give us feedback! |
| deepdiff==6.7.1 | ||
| aiohttp==3.9.5 | ||
| tqdm==4.66.2 | ||
| certifi>=2022.12.7 |
There was a problem hiding this comment.
🔴 High: Library Vulnerability
certifi → 2022.12.7
Removal of e-Tugra root certificate
| tqdm==4.66.2 | ||
| certifi>=2022.12.7 | ||
| python-dateutil | ||
| setuptools>=67.6.0 |
There was a problem hiding this comment.
🔴 High: Library Vulnerability
setuptools → 67.6.0
setuptools vulnerable to Command Injection via package URL
| click==8.1.7 | ||
| configobj==5.0.8 | ||
| deepdiff==6.7.1 | ||
| aiohttp==3.9.5 |
There was a problem hiding this comment.
🟠 Medium: Library Vulnerability
aiohttp → 3.9.5
In aiohttp, compressed files as symlinks are not protected from path traversal
| configobj==5.0.8 | ||
| deepdiff==6.7.1 | ||
| aiohttp==3.9.5 | ||
| tqdm==4.66.2 |
There was a problem hiding this comment.
🟡 Low: Library Vulnerability
tqdm → 4.66.2
tqdm CLI arguments injection attack
| @@ -0,0 +1,18 @@ | |||
| boto3==1.35.91 | |||
| click==8.1.7 | |||
| configobj==5.0.8 | |||
There was a problem hiding this comment.
🟡 Low: Library Vulnerability
configobj → 5.0.8
configobj ReDoS exploitable by developer using values in a server-side configuration file
| - name: Checkout code | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | ||
| - name: Configure Datadog Test Optimization | ||
| uses: datadog/test-visibility-github-action@v2 |
There was a problem hiding this comment.
🔴 High: Code Vulnerability
Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
What does this PR do?
Integrate with Datadog's test optimization product and run the tests more regularly.
Description of the Change
Configure the github actions.