Enabling jenkins-security-scan ?

[Jean-Marc Meessen]

While checking a reference project (file-parameter-plugin) for proper CD setup, I have seen that the repository is flagged as "jenkins-security-scan-enabled". I understand, but maybe being just naive, that some sort of static security analysis is enabled. 

I didn't see anything in the reference project or in the documentation.

Any hints where to look for more info, how to enable it, and handle the output (experience has taught me that it can be quite overwhelming)? 

Is this a recommendation when "modernizing/refreshing" a plugin? Or is it still experimental?

/- Jmm

[Daniel Beck]

On Thu, Dec 2, 2021 at 4:11 PM Jean-Marc Meessen <jean...@meessen-web.org> wrote:

While checking a reference project (file-parameter-plugin) for proper CD setup, I have seen that the repository is flagged as "jenkins-security-scan-enabled". I understand, but maybe being just naive, that some sort of static security analysis is enabled. 

I didn't see anything in the reference project or in the documentation

That was (is?) a prototype of security scans of all branches of a repo, rather than the "default branch only" approach mentioned in https://www.jenkins.io/blog/2020/11/04/codeql/  -- which is why the labeled repos are just plugins maintained by Mark, Oleg, Jesse or me. Since this approach doesn't scale all that well (all of the scanning on a private Jenkins security team CI instance that does not receive webhooks), I've abandoned making it official in favor of something like a GitHub Action I hope to still publish this year.

Meanwhile, you are welcome to label your plugin repo, and within a day or two, you should see security scans show up in your repo at Security -> Code scanning alerts. (The same goes everyone else reading this, go nuts and make me make progress with the GH Actions!) Since it's unofficial, it may just disappear some time after I've published the official alternative, but if you read this list, you'll learn about that and can set that up instead.

Since the findings are the same no matter how the scan is invoked, if they're unclear or otherwise unhelpful, please email me, or the jenkinsci-cert list, about them.