Integration Psalm Security Scan Actions in a Security Starter Workflow

[eroullit]

Hi Psalm Team ! 👋

GitHub offers a wide variety of starter workflows to help the community integrate new CI pipelines quickly and efficiently.

I have prepared a pull request aiming to integrate Psalm Security Scan workflow within it.
To finalise it, your action would need to be registered in GitHub technology partner program

If you are interested, could you fill out this form ?

In any case, feel free to contact me.

[weirdan]

I suppose we need to fix the build first.

[eroullit]

Hey @weirdan ! 👋

The build is back in shape and we start getting positive feedback about it ✨

I would like to finalise the work initiated on the starter-workflow repo to make it a breeze to integrate Psalm Security Scan workflow in a repo.

For that, the psalm/psalm-github-security-scan action would need to be enrolled in the GitHub technology partner program.

[weirdan]

That form doesn't make much sense to me. We're not a business (none of the active maintainers, for sure). Vimeo likely holds the copyright (@muglug can you clarify?) but is not actively involved in Psalm anymore, as far as I can tell.

[eroullit]

Hey @weirdan ! 👋

The technical partner program is mainly for third components which are integrated in GitHub itself or in its Marketplace..

Its related terms and conditions can be found here and they would need to be agreed by the current maintainers.

[muglug]

Hey! The main worry I have here is the increased burden on Psalm’s volunteer maintainers when someone starts using security analysis via this workflow, having not used Psalm before.

Psalm’s security analysis works best in the hands of a security researcher who understands the capabilities of it and similar tools. I’m concerned that push-button workflows that lack a contractual commitment might create an onerous amount of work.

[eroullit]

First and foremost, I would like to thanks you for maintain Psalm and all related actions. ❤️

It is already helping greatly all PHP-based open source software developers and security researchers to find defects on already existing codebase but also on newly developed code.

User’s feedback about alerts raised by Psalm has been very positive overall.
Even more so since the Psalm security action has been updated.

Many open-source projects backed either by companies or volunteers have chosen to have dedicated starter workflows to give users an easy and correct way to setup the first version of their static analysis workflows such as:

• Sobelow to scan code written in Elixir for the Phoenix Framework
• Kubesec to check Helm chart deployment on Kubernetes clusters
• Clippy to check for common programming mistakes in Rust
• Rubocop for Ruby

So far, the synergies between the security researchers building these tools and the developers have been a boon for software security allowing them to ship safer and better code overall.

[griffinashe]

Hi @muglug, I work on our security ecosystem team here at GitHub. Would you be open to talking through this some time soon?

[orklah]

Hey @griffinashe! Matt no longer works on Psalm. I could try to answer your questions though I'm not exactly sure to understand all the ins and out of what is suggested in this thread

[griffinashe]

@orklah - Sorry for the delayed response. If you email me @griffinashe@github.com with some times that work for you the week of July 10th or July 17th I can send an invite out to discuss.

[orklah]

I'm not very used to have oral discussion in English. Could that be an email or a chat?

[griffinashe]

@orklah Of course. Please send me an email at the address in my previous message and we can discuss there.