Enabling Code Scanning - CodeQL Analysis using GitHub Actions
Note: Code Scanning is currently in Beta - Join the waitlist using this link
For demonstration, I will use a repository with known security vulnerabilities and coding errors, former of which were also tacked using GitHub Native Dependabot Application, to see that blog, please visit the link below.
Shifting From Dependabot Preview to GitHub Native Dependabot App | by Nishkarsh Raj | Medium
Nishkarsh Raj ・ ・
Medium
NishkarshRaj / Maven-Using-CMD
Create a project in Java using Apache Maven Build tool via Command Line and use GitHub Actions to build it on remote Docker Engine.
Step 1) Click on Security Tab on your Repository
Step 2) Under Code Scanning Alerts - Click on Code Scanning
Step 3) Setup CodeQL Analysis GitHub Actions
Let's take a look at the GitHub Actions Job YML script and understand few important points:
- When will the Action perform the analysis:
1. Event Driven:
i. Push - Push event on master branch
ii. Pull_request - Pull Request on master or any sub branch.
2. Time Driven: Cron Schedules can be created. Cron is an open source package used to schedule tasks and events. To learn more about Cron Jobs, use this link.
It will take few minutes for the CodeQL Engine to analyze your repository for the first time. Wait till the Action jobs have successfully finished.
Step 4) View the GitHub Native Alerts Dashboard
Hurray! 💗
There were no errors or security issues in this repository.
In Part 3, I will create a demo repository and add intentional code and security errors and let's see how CodeQL Engine would help us with it. 😄
References
Adios
The posts are meant to spread awareness about the latest tips and tricks for upcoming and trending technologies in the software world.
If you like this work, please support me by following me on Dev, GitHub and Twitter. Cheers! ❤️
Top comments (0)