DEV Community: Vinicius Pereira

How to Enable CodeQL Analysis in Your GitHub Repository

Vinicius Pereira — Sun, 18 May 2025 01:28:14 +0000

What is CodeQL?

CodeQL is GitHub's semantic code analysis engine that lets you discover vulnerabilities in your code before they reach production. It treats code as data, allowing you to query your codebase like a database and find security weaknesses automatically.

Why Use CodeQL?

Detect Real Vulnerabilities: Find SQL injections, XSS, path traversals, and more
Integrated Security: Runs directly in your GitHub workflow
Multiple Languages: Supports JavaScript, TypeScript, Python, Java, C#, C++, Go, and Ruby
Free for Public Repositories: Complete security analysis at no cost for open-source projects

Setting Up CodeQL Analysis in few Steps

Enable GitHub Actions in Your Repository

First, make sure GitHub Actions is enabled:

Navigate to your repository on GitHub

Click on the "Settings" tab

Select "Actions" from the sidebar

Make sure "Allow all actions and reusable workflows" is selected

First (easier) method

Go to your repository and click in `Security` Tab.

Now click on setup code scanning

Now select `Default` option

After select default you'll see the following prompt

It shows languages that you have in your project and workflows if available too. You can click in edit to remove languages, workflows, select branchs to run and so forth.

Now the second way

Create a CodeQL Workflow File
Create a new file at .github/workflows/codeql-analysis.yml with the following content:

name: "CodeQL Analysis"

on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]
  schedule:
    - cron: '30 1 * * 0'  # Runs at 1:30 AM UTC every Sunday

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        language: [ 'javascript', 'python' ]  # Modify these languages as needed
        # Available options: 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby'

    steps:
    - name: Checkout repository
      uses: actions/checkout@v3

    - name: Initialize CodeQL
      uses: github/codeql-action/init@v2
      with:
        languages: ${{ matrix.language }}

    # Autobuild attempts to build any compiled languages
    - name: Autobuild
      uses: github/codeql-action/autobuild@v2

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v2
      with:
        category: "/language:${{matrix.language}}"

Customize for Your Project

Modify the workflow file based on your needs:

Branches: Change main to your default branch name if different
Languages: Update the language matrix to include only languages your project uses
Schedule: Adjust the cron schedule as needed for regular scanning

Commit and Push Your Changes

git add .github/workflows/codeql-analysis.yml
git commit -m "Add CodeQL security scanning workflow"
git push

View Results in the Security Tab

After the workflow runs:

Go to your repository on GitHub
Click on the "Security" tab
Select "Code scanning alerts" from the left sidebar
Review any security vulnerabilities discovered by CodeQL

Code with some security alerts

Advanced Configuration

Custom Build Steps
If your project requires custom build steps instead of using the autobuild feature:

# Replace the autobuild step with custom commands
- name: Custom Build Steps
  run: |
    # Add your custom build commands here
    ./configure
    make bootstrap
    make release

- name: Perform CodeQL Analysis
  uses: github/codeql-action/analyze@v2
Adding CodeQL Query Suites
You can use custom query suites for specialized analysis:
yaml- name: Initialize CodeQL
  uses: github/codeql-action/init@v2
  with:
    languages: ${{ matrix.language }}
    queries: security-extended,security-and-quality

Available query suites include:

security-extended: Additional queries for security analysis
security-and-quality: Security queries plus quality and correctness

Troubleshooting

Common Issues

Workflow not running
- Check that GitHub Actions is enabled
- Verify branch names match your repository
Builds failing
- Look at workflow logs to identify build issues
- Consider using custom build steps if autobuild fails
Memory issues
- For large codebases, you might need to adjust RAM limits:

- name: Initialize CodeQL
  uses: github/codeql-action/init@v2
  with:
    languages: ${{ matrix.language }}
    ram: '8192'

Best Practices

Run on schedule to catch issues even when code isn't actively being pushed
Review alerts promptly and address security issues
Use pull request integration to catch issues before they're merged
Configure code owners for security alerts to ensure follow-up

Conclusion

Setting up CodeQL is a powerful step toward securing your codebase. By incorporating it into your GitHub workflow, you create an automated security review process that can catch vulnerabilities before they impact your users.
For more information, check GitHub's official CodeQL documentation.

Have you implemented CodeQL in your projects? Share your experience in the comments below!

Entendendo pacotes e modulos em Go!

Vinicius Pereira — Fri, 20 Sep 2024 03:24:31 +0000

Desvendando Pacotes e Módulos em Go: O que eu não entendia no começo

Quando eu comecei a programar em Go, eu já tinha uma boa base em C, que foi minha primeira linguagem de programação. Isso me ajudou bastante, porque o Go tem muita coisa em comum com C — desde a simplicidade até a performance. Menos palavras-chave, menos complexidade, e uma curva de aprendizado mais suave. Mas então veio a parte que me deixou meio perdido: pacotes, módulos e o tal do go mod.

Eu lembro de pensar: "Eu só quero compilar um programa simples, por que preciso me preocupar com pacotes?" E os módulos? Parece que eles surgem do nada e todo mundo fala que são essenciais para gerenciar dependências. Mas calma, vou explicar tudo de um jeito simples para quem já programa, mas ainda não pegou o jeito dessas coisas em Go.

Pacotes no Go: Dividindo e Organizando o Código

Primeiro, o conceito de pacote no Go é bem parecido com o que você já viu em C. Pense nos pacotes como uma forma de organizar e reutilizar seu código. Em C, quando você separa funções em arquivos .h e .c, no Go você faz algo similar, mas com pacotes. Cada pacote agrupa funcionalidades e permite que você importe o que precisa em outras partes do código.

Por exemplo, ao invés de ter todas as funções jogadas em um único arquivo, você pode dividir em pacotes:

package main

import "fmt"

func main() {
    fmt.Println("Hello, Go!")
}

Aqui, fmt é um pacote da biblioteca padrão que cuida da formatação de I/O. Ao importar, você acessa as funções dele. E você pode criar seus próprios pacotes da mesma forma, facilitando a manutenção e organização do código.

E o tal do `go mod`?

Agora, a parte dos módulos. É aqui que a coisa fica interessante. Se pacotes são como as bibliotecas em C, os módulos são como um "super pacote" que gerencia tudo isso. Eles permitem que seu projeto baixe e use pacotes de terceiros sem dor de cabeça, de uma forma organizada e segura.

O go mod é o comando que te ajuda a configurar seu projeto para usar esses módulos. Quando você inicia um projeto novo com go mod init, você está basicamente criando uma configuração que o Go vai usar para gerenciar as dependências. Isso significa que ele vai baixar automaticamente os pacotes que seu projeto precisa (sem ter que baixar na mão, como você faria em C).

Por exemplo:

go mod init meu-projeto
go get github.com/pacote/fantastico

Com esses comandos, o Go cria o arquivo go.mod, que guarda as informações das dependências do seu projeto. Depois, quando você rodar go build, o Go baixa tudo o que precisa para compilar, direto da internet, sem você ter que se preocupar.

Resumindo...

Quando você organiza seu código em pacotes e usa módulos para gerenciar dependências, o Go fica muito mais eficiente. No começo, pode parecer confuso (eu também não entendi de cara), mas assim que você pega o jeito, percebe que pacotes e módulos tornam seu código mais escalável e limpo. Tudo flui melhor, principalmente em projetos grandes.

Shared Library (Dynamic linking) - It's not about libs

Vinicius Pereira — Thu, 11 Jul 2024 01:10:13 +0000

This is my first post here so, let's go.

Disclaimer: I won't create expectations with my posts. Everything I share is part of my learning process, which often involves explaining things to others. I found this method to be particularly effective during my time at 42 School. Therefore, I'll be posting about various topics I'm currently learning or have already learned.

Why this post?

I'm actually doing a challenge for a job vacancy and I was struggling with shared objects and I'm doing it in my home, so I remember who hard are don't have another person near you to ask things even if they don't know the answer, they help you to think and find new ways or they have new ideas or even better, they help you to have new ideas and so forth.

First step

This challenge involves creating a shared library in any programming language of my choice.
The library will be tested with a specifically crafted binary file written in C. My goal is to ensure the library functions as intended based on the provided test outputs.

Working on it

During a recent interview, I was presented with a challenge: create a shared library that functions as a CSV processor. Initially, I opted to develop it in Go. It seemed like a straightforward task...

While writing the Go code itself wasn't an issue, the real challenge arose in integrating the library with the C binary. Every attempt resulted in different errors, often related to missing symbols in the generated shared object (.so file).

Fortunately, I eventually found a solution and was able to test the library using the provided binary. However, running the program resulted in a core dump, indicating unexpected behavior.

To address this issue, I opted to switch to C++. The primary reason was the perceived ease of interfacing shared objects created in C++ with C binaries. This approach minimized debugging difficulties and eliminated core dumps.

Final Thoughts

Despite the initial hurdles, I'm still tackling the CSV processor challenge in C++. Having a better understanding of shared objects and dynamic linking ~~(thanks to my previous experience with static libraries)~~ is definitely helpful. However, the initial issues I encountered took a significant amount of time to resolve.

Cya!

Some references to learn about static and dynamic:

Reduce Your Compile Time
Low level learning video ~~I love this channel~~
Introduction and creation
C Programming