Using Frogbot for scanning this repository

[eyalbe4]

Dear urfave/cli maintainers,

My name is Eyal and my team at JFrog is maintaining Frogbot, JFrog CLI and few more open source projects used by our community. We're using your awesome library for the above two projects and wanted to thank you for the awesome work you're doing!

I wanted to ask you whether you'd like us to install Frogbot on this repository for you. We can set it up to scan pull requests for security vulnerabilities and/or scan the entire repository periodically. The service is completely free of charge and we'll be helping and guiding you through the setup. We'll also be supporting you in case you'll need any future assistance.

Please let me know if you're interested. We can also continue communicating about this offline.

Thanks,
Eyal

[dearchap]

@eyalbe4 Thanks for this. Yes we would be interested. Let me know how we can go about setting this up. Is this via a github action ?

[eyalbe4]

Great @dearchap!

Yes, Frogbot can use GitHub as its runtime.
Let's set Frogbot up as follows.

First, let's create a free JFrog Platform in the cloud for Frogbot to run the scans with. To create the platform, follow the Step 1 - Optionally set up a FREE JFrog Environment in the Cloud section. Write down the username and password you used for setting up the JFrog Platform.

Next, add the URL, username and password as GitHub secrets and also create a GitHUb Environment as described here under the Install Frogbot Using GitHub Actions section.

I have just created #1718, which adds the Frogbot GitHub workflows. You can review and merge it after implemeting the above steps.

Please let me know if you have any questions.

[abitrolly]

@dearchap looks like Frogbot turned on manual approval on each PR before CI tests can be run. For me such paranoid security measure on CI is a sign that people don't trust their codebase and security of their CI setup, which is a bad sign.

[dearchap]

Yes its an inconvenience.