Identifying code vulnerability is always a growing concern for a software engineer. How to reduce the security vulnerabilities in a growing code base? To mitigate such problems, I started exploring and got introduced to Github’s CodeQL.
Read this document by Github to learn more about application security. It covers various aspects like:
- State of application security today.
- Traditional vs. end-to-end security.
- Developer first application security with GitHub.
- Intro to CodeQL & Code Scanning.
- How to enable Github Code scanning with CodeQL?
CodeQL is an industry-leading semantic code analysis engine developed by Github designed to identify vulnerabilities in codebase. It treats your code as data by building a database that can be queried for vulnerabilities. You can write queries on data to find patterns, vulnerabilities & bugs. For more details, click here.
CodeQL can be used in conjunction with Code scanning capabilities which is GitHub’s native SAST (Static Application Security Testing) tool, a developer-first approach to SAST that enables vulnerabilities to be found and remediated effortlessly before they reach production.
This workshop video gives a walkthrough on :
- How to install CodeQL Vs code extension?
- How to download a pre-generated bootstrap database by CodeQl CLI?
- How to write queries to identify JQuery Plugin vulnerabilities which are found in a specific version of bootstrap(v3.4.0)?
After following the workshop video you should be able to use CodeQL.
Code scanning is GitHub’s native SAST tool. More about it can be found here.
3.1. Fork the twbs/bootstrap public repository in to your github account.
3.2. Create a new branch(code-scan-v3.4.0) from v3.4.0 tag, since the database used in the workshop video is generated from the same version of bootstrap, we will get similar vulnerabilities as the workshop video.
3.3. Enable Code Scanning : Since Code Scanning is available for all public repositories I have enabled it with the help of this.
3.4. Actions Workflow file : Update the branch name(code-scan-v3.4.0) in the CodeQL action Workflow file which we have enabled in the previous step. So that the action is triggered only on this branch(code-scan-v3.4.0) push & PR events.
I have removed the cron schedule to avoid running it on periodic basis, Based on your requirements you can add specific workflow trigger events. Check this for more info on Github Actions event triggers for the workflows.
3.5. copy the .github folder from the main branch to the new branch(code-scan-v3.4.0), since it is missing in it. I have copied the folder & committed to the code-scan-v3.4.0 branch. Since we have mentioned the workflow to be triggered on push & PR in the previous step, this push will also trigger the Code scanning.
Make sure you have the CodeQL workflow changes in this branch, which we have added in the previous step.
3.6. After the scanning is complete, you can find the alerts here:
Change the branch name in the filters to see the alerts belongs to code-scan-v3.4.0 branch.
You can now see the Unsafe jQuery plugin alerts which are similar to the workshop video.
To trigger the workflow again either you can Re-run the old job or push a new commit in the branch. For Re-running click on Re-run all jobs in the CodeQL workflow summary page:
The above Code scanning was done using Github actions using the free minutes available in the public repository quota.
Code scanning is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security. For more information, please read this.
Read this to know more about Actions billing.
Additionally you can also run the code scanning using an external CI system, read this for setting up custom runner of CodeQL.
Also Read this to know about the hardware resources requirements for running CodeQL.
FYI, There are other scanners available in the Github
marketplace in addition to the CodeQL Scanner.
Check the below image to add other workflows
Hope this helps!