Enabling Code Scanning - CodeQL Analysis using GitHub Actions
Note: Code Scanning is currently in Beta - Join the waitlist using this link
For demonstration, I will use a repository with known security vulnerabilities and coding errors, former of which were also tacked using GitHub Native Dependabot Application, to see that blog, please visit the link below.
Medium
NishkarshRaj
/
Maven-Using-CMD
Create a project in Java using Apache Maven Build tool via Command Line and use GitHub Actions to build it on remote Docker Engine.
Step 1) Click on Security Tab on your Repository
Step 2) Under Code Scanning Alerts - Click on Code Scanning
Step 3) Setup CodeQL Analysis GitHub Actions
Let's take a look at the GitHub Actions Job YML script and understand few important points:
| name: "CodeQL" | |
| on: | |
| push: | |
| branches: [master] | |
| pull_request: | |
| # The branches below must be a subset of the branches above | |
| branches: [master] | |
| schedule: | |
| - cron: '0 8 * * 6' | |
| jobs: | |
| analyze: | |
| name: Analyze | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| # Override automatic language detection by changing the below list | |
| # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python'] | |
| language: ['java'] | |
| # Learn more... | |
| # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v2 | |
| with: | |
| # We must fetch at least the immediate parents so that if this is | |
| # a pull request then we can checkout the head. | |
| fetch-depth: 2 | |
| # If this run was triggered by a pull request event, then checkout | |
| # the head of the pull request instead of the merge commit. | |
| - run: git checkout HEAD^2 | |
| if: ${{ github.event_name == 'pull_request' }} | |
| # Initializes the CodeQL tools for scanning. | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v1 | |
| with: | |
| languages: ${{ matrix.language }} | |
| # If you wish to specify custom queries, you can do so here or in a config file. | |
| # By default, queries listed here will override any specified in a config file. | |
| # Prefix the list here with "+" to use these queries and those in the config file. | |
| # queries: ./path/to/local/query, your-org/your-repo/queries@main | |
| # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | |
| # If this step fails, then you should remove it and run the build manually (see below) | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@v1 | |
| # âšī¸ Command-line programs to run using the OS shell. | |
| # đ https://git.io/JvXDl | |
| # âī¸ If the Autobuild fails above, remove it and uncomment the following three lines | |
| # and modify them (or add more) to build your code if your project | |
| # uses a compiled language | |
| #- run: | | |
| # make bootstrap | |
| # make release | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v1 |
- When will the Action perform the analysis:
1. Event Driven:
i. Push - Push event on master branch
ii. Pull_request - Pull Request on master or any sub branch.
2. Time Driven: Cron Schedules can be created. Cron is an open source package used to schedule tasks and events. To learn more about Cron Jobs, use this link.
It will take few minutes for the CodeQL Engine to analyze your repository for the first time. Wait till the Action jobs have successfully finished.
Step 4) View the GitHub Native Alerts Dashboard
Hurray! đ
There were no errors or security issues in this repository.
In Part 3, I will create a demo repository and add intentional code and security errors and let's see how CodeQL Engine would help us with it. đ
References
Adios
The posts are meant to spread awareness about the latest tips and tricks for upcoming and trending technologies in the software world.
If you like this work, please support me by following me on Dev, GitHub and Twitter. Cheers! â¤ī¸
Top comments (0)