DEV Community

Cover image for CodeQL Analysis on GitHub
Nishkarsh Raj
Nishkarsh Raj

Posted on

CodeQL Analysis on GitHub

Enabling Code Scanning - CodeQL Analysis using GitHub Actions

Note: Code Scanning is currently in Beta - Join the waitlist using this link

For demonstration, I will use a repository with known security vulnerabilities and coding errors, former of which were also tacked using GitHub Native Dependabot Application, to see that blog, please visit the link below.

GitHub logo NishkarshRaj / Maven-Using-CMD

Create a project in Java using Apache Maven Build tool via Command Line and use GitHub Actions to build it on remote Docker Engine.

Step 1) Click on Security Tab on your Repository

Alt Text

Step 2) Under Code Scanning Alerts - Click on Code Scanning

Alt Text

Step 3) Setup CodeQL Analysis GitHub Actions

Alt Text

Let's take a look at the GitHub Actions Job YML script and understand few important points:

  • When will the Action perform the analysis:

1. Event Driven:

i. Push - Push event on master branch

ii. Pull_request - Pull Request on master or any sub branch.

2. Time Driven: Cron Schedules can be created. Cron is an open source package used to schedule tasks and events. To learn more about Cron Jobs, use this link.

It will take few minutes for the CodeQL Engine to analyze your repository for the first time. Wait till the Action jobs have successfully finished.

Alt Text

Step 4) View the GitHub Native Alerts Dashboard

Alt Text

Alt Text

Hurray! πŸ’—

There were no errors or security issues in this repository.

In Part 3, I will create a demo repository and add intentional code and security errors and let's see how CodeQL Engine would help us with it. πŸ˜„



The posts are meant to spread awareness about the latest tips and tricks for upcoming and trending technologies in the software world.

If you like this work, please support me by following me on Dev, GitHub and Twitter. Cheers! ❀️

Top comments (0)