Configuring advanced setup for code scanning with CodeQL

by Matt Warwick

27 November 2023

Security

Security

The views and opinions expressed in this post are those of the author and do not necessarily reflect the official policy or position of the Department of Education.

We have recently enabled and configured advanced security for GitHub Actions in our software project. Enabling this allows our source code to be scanned regularly for vulnerabilities.

Configuring code scanning with CodeQL in GitHub involves several steps. Below is a summary of the process:

Prepare Your Repository:

• Ensure your repository is set up on GitHub.
• Make sure your codebase is compatible with CodeQL.

Create a CodeQL Analysis Workflow:

• In your repository, create a .github/workflows directory if it doesn’t exist.
• Inside this directory, create a YAML file (e.g., codeql-analysis.yml) for your workflow.

Define Workflow Configuration:

• Configure the workflow to run on specific events (e.g., push, pull_request) in the YAML file.
• Specify the CodeQL analysis job, including the CodeQL toolchain version and language to analyze.

Define CodeQL Analysis Job:

• Use the codeql/analyze action to define the CodeQL analysis job.
• Set the entry point for the analysis, which is typically a CodeQL query file.
• Specify the source location and language for analysis.

Add CodeQL Query Files:

• Create CodeQL query files (.ql) to define the security analysis rules.
• These queries help identify vulnerabilities and issues in your code.

Configure Code Scanning Alerts:

• Specify how you want GitHub to handle code scanning alerts.
• You can choose to create issues, annotations, or take custom actions based on the analysis results.

Commit and Push Changes:

• Commit the workflow configuration file and CodeQL query files to your repository.
• Push the changes to trigger the workflow.

Monitor Code Scanning Results:

• Once the workflow runs, monitor the CodeQL analysis results in the GitHub Security tab.
• Review and address any identified security vulnerabilities or code issues.

Customize and Iterate:

• Customize the workflow and CodeQL queries based on your project’s needs.
• Iterate on the configuration as your codebase evolves.

Documentation and Resources:

• Refer to the GitHub documentation and CodeQL documentation for detailed information and troubleshooting.
• Explore additional features and options to enhance your code scanning process.

I have an idea

I found a bug

I have a question