CodeQL scan of default branch - weekly

[ldraney]

User Story - Business Need

• Ticket is understood, and QA has been contacted (if the ticket has a QA label).

User Story(ies)

As a manager of the notification-api repo
I want to have a weekly CodeQL scan on our default branch (master)
So that we keep compliance with VA mandated security practices

Additional Info and Resources

• See this ticket for clarification on what needs to happen for this ticket.
  • Update settings in the repo's security tools console
  • Remove outdated CodeQL scan from our workflows

This ticket is in response to the VA Code Scanning Policy Announcement
As well as their recent comment due to our lack of weekly cronjob.
This cronjob is in addition to the trigger for every PR merge to our default branch;
This cronjob should be at least once every seven days;
I suggest that having it once every three days would allow time to resolve any failures within that timeframe.

It should be working already?

From the VA announcement:

For repositories that DO NOT contain Java or C# code, you likely won’t need to perform any additional configuration. You can confirm your scans are working as intended by checking the Security Tools status page of your repository. This page can be found by navigating to the Security tab in your repository, selecting Code Scanning and then Tool Status. Alternatively you may navigate directly there using this format: https://github.com/department-of-veterans-affairs/_/security/code-scanning/tools/CodeQL/status.

If you are unable to configure your repository for any reason, or have general questions, please feel free to open an issue in the GitHub User Requests repository.

So perhaps opening an issue there is the step AFTER ensuring we have the correct configuration already (it seems that we do at the time of writing this ticket).

Considering that, by their own instructions, our check is running, may be time to open an issue.

Current CodeQL setup

Our current CodeQL cronjob and PR checks are found in .github/workflows/codeql-analysis.yml
It already has a cronjob to run on Monday and Thursday mornings, calling the Department of Veterans Affairs CodeQL-Tools repo, which seems to be running fine, seeing that it ran according to that cronjob here and here:

So what additional workflow needs to be run? Or does this one need to be fixed?

Ideally just adding an additional CodeQL check as a weekly cronjob would need to come from this repo or the security-tools repo would be the solution here; but it seems that should already be the case.

So first step indeed be may opening an issue, as stated in the VA Policy announcement.

Acceptance Criteria

• We no longer get warnings, comments, or alerts signaling a lack of compliance with the VA CodeQL security policy.

Speed of communication with the Department of Veterans Affairs

[ldraney]

Get the correct new CodeQL scan from the announcement (I assume) and add it to our current cronjob

[kalbfled]

I concur that we seem to be in compliance. I created a ticket to request assistance.

[kalbfled]

We followed the instructions provided to us on the ticket linked in my previous comment. The only remaining action is to delete our existing CodeQL scanning action.

Kyle updated the repo security settings. (I don't have access.)