Enable Code Scanning

[galargh]

We should enable GitHub default code scanning in selected repositories. Why not everywhere? This change is user facing, it has impacts on PRs and pushes, it takes up GHA runner time - we should understand the implications better before going all out.

Ref https://www.notion.so/pl-strflt/Secret-Code-Scanning-w-Alain-e28db2eaa6e84465a98bac6ee063ceaf

[BigLep]

Thanks @galargh. I agree with a progressive rollout. Where are you thinking to start?

I would also want to make sure that teams are seeing the security findings as part of their triage process. Right now most teams are just looking at issues and PRs that come through ecosystem dashboard.

[galargh]

I was thinking Kubo + Boxo since there's quite a bit of active development going on there. We're already running Gateway Conformance. Maybe some libp2p repos next or a full rollout afterwards.

I would also want to make sure that teams are seeing the security findings as part of their triage process. Right now most teams are just looking at issues and PRs that come through ecosystem dashboard.

Good callout. I'll keep that in mind when we're doing a trial run.

[BigLep]

No rush, but can you please summarize what has been done so far, any key learnings, and the next steps?

[galargh]

We're already running Code Scanning in Kubo so I haven't touched it. I've enabled default Code Scanning in Boxo. The plan is to gather some stats about runtimes/runner usage in a week or two and try to reason what effect on the org would enabling it everywhere have based on our monitoring data. Once that's done, we'll decide whether we can enable it everywhere with default settings or not. My intuition tells me that we will want to enable it everywhere BUT we'll want to use an advanced version for the most active repositories to reduce its' impact on runners usage. If that's indeed the case, we'll wait for GitHub to publish REST API for code scanning manipulation and proceed with the rollout via GitHub Management once it's out.