Gradual deprecation of LGTM.com #29534
Replies: 20 comments 41 replies
-
good afternoon. Thanks. |
Beta Was this translation helpful? Give feedback.
-
Will there be any way of downloading the CodeQL databases of various projects to query offline (like it is today on LGTM)? |
Beta Was this translation helpful? Give feedback.
-
If I'm using LGTM with GitLab and BitBucket, what could I do to continue code analysis after LGTM shuts down? |
Beta Was this translation helpful? Give feedback.
-
Hey, I work as an AppSec Engineer and have been actively using LGTM for a research piece I'm doing with CodeQL, is there anyone I can contact to plead my case for beta access 😅? |
Beta Was this translation helpful? Give feedback.
-
Hey, I think this is a natural move, but will you be introducing any new functionality to GitHub to make it possible to easily list which projects have CodeQL databases built to bring it up to par with LGTM in this regard? One of the major reasons I used LGTM.com is because the UI makes it possible to exhaustively navigate projects which have public databases, whereas on GitHub unless I'm missing some major UX you have to navigate to each project and check if it does or not (and usually the answer is it does not) one by one, as opposed to just navigate a big list of projects which we know have databases (cutting down a lot of work when e.g. picking a security research project). |
Beta Was this translation helpful? Give feedback.
-
It looks like the Query Console is not working at the moment. Even for the simplest queries (such as
Is this related to the deprecation and is it a known issue? |
Beta Was this translation helpful? Give feedback.
-
Hey @sj, I introduced CodeQL for our repository yesterday (rathena/rathena#7208). Basically I totally understand the motive and reasoning for this move and support it. And great work so far! The only thing I am disappointed about is that CodeQL gives us only 6 alerts (the severity levels are questionable in my eyes) whereas LGTM gave us 69 alerts. So 10x more alerts. Do we need to configure additional queries or what is the reason why we miss so many alerts that were found on LGTM? Also will the severity levels be harmonized to the scores they had on LGTM? It feels like the severities on LGTM where much more accurate than they are now on CodeQL. Thanks in advance for your help! |
Beta Was this translation helpful? Give feedback.
-
If possible I would like to beta-test the Query Console replacement, though I did not use the Query Console that actively during the past weeks. Therefore if there is a limit on the number of beta testers, I won't mind if I can't become one. My user name on the GitHub Security Slack channel is Marcono1234 (same as on GitHub). |
Beta Was this translation helpful? Give feedback.
-
Is it possible to use CodeQL action workflow without uploading security alerts (i.e. as a Pull Request check only)? |
Beta Was this translation helpful? Give feedback.
-
Hi sj, I am a security researcher at Indiana University, and I was wondering if you could please help with accessing reports that already exist on LGTM - would the API be the best way? I am unable to sign up as a new user. Finally, I also joined the slack.. |
Beta Was this translation helpful? Give feedback.
-
Hi! I am an author of several projects which use LGTM(e.g. https://github.com/brainflow-dev/brainflow) According to https://github.blog/2022-08-15-the-next-step-for-lgtm-com-github-code-scanning/ we should get some automated PRs for migration but its already the end of October and there is nothing. So, should we do it by ourselves or wait a little more? |
Beta Was this translation helpful? Give feedback.
-
Hello, We use LGTM and recently got the PR for switching to GH code scanning - sosreport/sos#3064. The initial change was functional, but we noticed that it was highlighting a large amount of alerts from our test suite, which we don't want scanned. Looking at the docs it seems like this should easily be remedied by adding a I did that, committing directly to lgtm's fork via the GH webUI, but the action is now failing saying that So, if it's not the documented |
Beta Was this translation helpful? Give feedback.
-
Hi! This is kind of a silly question - are there plans for supporting the former LGTM badges that could be added to repo readmes that showed a code quality score? Even if a secondary feature, it was definitely nice to have a badge showing a clean score on my public repos. :) |
Beta Was this translation helpful? Give feedback.
-
Hi! One of my repository (https://github.com/roastduck/FreeTensor) uses LGTM, and I should have gotten an automated PR for migration, but there is not. I see there was some delay mentioned in another post in this discussion, but now it is the end of November, and there is only less than two weeks before the planned disabling. Should I wait more or set up it by ourselves? Thanks in advance. |
Beta Was this translation helpful? Give feedback.
-
I have been using the LGTM interface in a software engineering unit, that covered static analysis. The nice thing was that student could simply write their own checks and run them on GitHub repos. Is there any way to do it as easily with codeQL as with LGTM? Sure, the language is the same, but I wonder about the interface. |
Beta Was this translation helpful? Give feedback.
-
Hi, was wondering if we could get an automated migration PR for https://github.com/arkime/arkime thanks!! |
Beta Was this translation helpful? Give feedback.
-
Hi, I am trying to exclude some directories from scanning. I wrote a custom configuration file containing a
However, I am analyzing for C++. Can I configure this exclusion for a C++ analysis? If not, can I hide the alerts for some directories (just like Thanks! |
Beta Was this translation helpful? Give feedback.
-
Hi, I'm building/reviewing the automatic PR created for my C++ project by query-filters:
- exclude:
id: ext this "ext" directory contains third party libraries/code that should not be included as part of LGTM scanning, except it doesn't seem to exclude these directories from scanning |
Beta Was this translation helpful? Give feedback.
-
Can you please remove all MITRE GitHub org projects from lgtm.com. github.com/mitre/heimdall2 Thank you and let us know if we need to take any actions |
Beta Was this translation helpful? Give feedback.
-
Hello, my account is |
Beta Was this translation helpful? Give feedback.
-
On the 15th of August, we announced the gradual deprecation of LGTM.com on the GitHub blog 📝. For more information, please take a look at that post — it contains key dates and information about migrating to GitHub code scanning.
If you have any questions or comments, feel free to discuss this news below. We'll do our best to answer any questions you might have!
Beta Was this translation helpful? Give feedback.
All reactions